Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

Chinese Threat Actor Targets Uyghurs With New iOS Exploit

A Chinese threat actor tracked as Evil Eye has updated the tools it uses to target Uyghurs, a minority Turkic ethnic group in the Xinjiang Uyghur Autonomous Region in Northwest China, incident response and threat intelligence firm Volexity reports.

A Chinese threat actor tracked as Evil Eye has updated the tools it uses to target Uyghurs, a minority Turkic ethnic group in the Xinjiang Uyghur Autonomous Region in Northwest China, incident response and threat intelligence firm Volexity reports.

Evil Eye, which was previously associated with activity linked to the adversary referred to as POISON CARP, was in the past observed leveraging exploits aimed at Android and iOS devices, but went silent after its operations were publicly detailed last year.

Starting January 2020, however, the threat actor resumed operations, with signs of activity identified “across multiple previously compromised Uyghur websites.”

As part of the new attacks, Evil Eye launched an exploit chain using the open source framework IRONSQUIRREL, targeting iOS devices to abuse a WebKit vulnerability that was patched in the summer of 2019. The exploit, Volexity says, works against iOS versions 12.3, 12.3.1, and 12.3.2.

Successful exploitation of vulnerable systems results in a new version of the threat actor’s implant being delivered, which Volexity refers to as INSOMNIA.

The security firm says it observed multiple different attacks installing the implant on iOS devices. These attacks involved six exploit websites between January and March 2020, five implant instances, three command and control (C&C) IP and port pair combinations, and two unique C&C IP addresses.

Malicious iframes on the compromised websites would load IRONSQUIRREL code, with the most recent attacks associated with the Uyghur Academy website only. The code on this site appears to be exclusively used by the threat actor to target visitors if a User-Agent string associated with a vulnerable iPhone or iPad is detected.

“Note that exploit can be triggered through any browser on the phone, as they all use WebKit. Volexity was able to confirm successful exploitation of a phone running 12.3.1 via the Apple Safari, Google Chrome, and Microsoft Edge mobile browsers,” Volexity explains.

The INSOMNIA implant runs as root with various entitlements, providing the threat actor with access to all the data considered to be of interest.

The updated implant features new hardcoded IP addresses, uses HTTPs for C&C communication, targets Signal and ProtonMail, uses an embedded certificate for C&C validation, and employs basic obfuscation. At installation, the malware sends information about all installed apps on the phone.

The implant, however, does not have a mechanism for persistence, which suggests that the attackers need to work quickly to harvest and exfiltrate the data they are looking for to avoid losing access in the event of a reboot. Yet, the researchers also suggest the threat actor might have a method for manually gaining persistence on verified targets.

“It can now be confirmed that in the past six months, Uyghur sites have led to malware for all major platforms, representing a considerable development and upkeep effort by the attackers to spy on the Uyghur population,” Volexity concludes.

Related: POISON CARP Threat Actor Targets Tibetan Groups

Related: New “HenBox” Android Malware Discovered

Related: Researchers Link Several State-Sponsored Chinese Spy Groups

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Expert Insights

Related Content

Cybercrime

Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Cybercrime

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.

Cyberwarfare

Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet

Cybercrime

A new study by McAfee and the Center for Strategic and International Studies (CSIS) named a staggering figure as the true annual cost of...

Cybercrime

The FBI dismantled the network of the prolific Hive ransomware gang and seized infrastructure in Los Angeles that was used for the operation.

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.