A threat actor referred to as POISON CARP has targeted senior members of Tibetan groups via WhatsApp for around six months, Citizen Lab reveals.
The attacks, carried out between November 2018 and May 2019, employed individually tailored WhatsApp text exchanges, where the attackers were posing as NGO workers, journalists, and other fake personas.
Links sent to victims led to browser exploits that would install spyware on iOS and Android devices. In some cases, the links led to OAuth phishing pages.
The threat actor has been observed employing a total of eight Android browser exploits, one Android spyware kit, and one iOS exploit chain and iOS spyware. No zero-days were used in this campaign.
The iOS exploit and spyware and a website used to serve exploits were also spotted in previously reported campaigns against the Uyghur community, but the Android malware, which is a fully featured spyware kit, was not previously documented.
The Tibetan Computer Emergency Readiness Team (TibCERT) was first notified on these attacks in November 2018, when senior members of Tibetan groups started receiving suspicious WhatsApp messages.
According to Citizen Lab, these attacks were carried out by POISON CARP only, and are the first attacks to employ one-click mobile exploits against Tibetan groups.
“It represents a significant escalation in social engineering tactics and technical sophistication compared to what we typically have observed being used against the Tibetan community,” Citizen Lab notes.
The iOS exploit chain used in this campaign is only efficient on iOS 11.0 to 11.4.
One of the Android exploits, which has been publicly released, targets a Chrome bug for which a patch was available, although it hadn’t yet been distributed to Chrome users. The attackers also used modified Chrome exploits published on GitHub (CVE-2016-1646 and CVE-2018-17480), and on the Chrome Bug Tracker (CVE-2018-6065).
Citizen Lab was able to link exploits, spyware, and infrastructure used in this campaign to attacks previously detailed by Google Project Zero and Volexity, and the organization suggests that all campaigns were likely conducted by the same threat actor, which shows interest in “the activities of ethnic minority groups that are considered sensitive in the context of China’s security interests.”
“Based on the use of the same iOS exploits and similar iOS spyware implant between POISON CARP and the campaign described by Google Project Zero and server infrastructure connections with the Evil Eye campaign reported by Volexity, we determine that the three campaigns were likely conducted by the same operator or a closely coordinated group of operators who share resources,” Citizen Lab notes.
High focus on social engineering lures
Between November 11 and 14, 2018, there were 15 intrusion attempts against individuals from the Private Office of His Holiness the Dalai Lama, the Central Tibetan Administration, the Tibetan Parliament, and Tibetan human rights groups. On April 22 and May 21, 2019, two additional attempts were observed. Most of the intended targets hold senior positions.
The attackers sent malicious WhatsApp messages from seven fake personas, posing as journalists, staff at international advocacy organizations, volunteers at Tibetan human rights groups, and tourists in India, all exclusively using WhatsApp phone numbers with a Hong Kong country code (+852).
POISON CARP put a lot of effort into social engineering, tailoring the personas and messages to the targets and actively engaging in conversations, persistently attempting to infect the targets. While in eight of the 15 intrusion attempts the targeted individuals recall clicking the exploit link, none was infected, as they were using non-vulnerable versions of iOS or Android.
In one attempt, a senior staff member at a Tibetan human rights group was contacted via WhatsApp by a persona claiming to be the head of the “Refugee Group” at Amnesty International’s Hong Kong branch. In another, a member of the same group was contacted by a persona claiming to be a New York Times reporter seeking an interview.
Attackers wanted to spy on victims
Of the 17 intrusion attempts, 12 contained links to the iOS exploit. As of September 6, 2019, a total of 140 clicks were recorded on the iOS exploit short links.
“We reported the exploit chain to Apple shortly after discovering it in November 2018. Apple confirmed that both the browser and privilege escalation exploits had been patched as of iOS 11.4.1 in July 2018,” Citizen Lab says.
The spyware implant retrieved from the November 2018 attacks collects device information (iPhone model, name, serial number, iOS version, phone number, ICCID of the SIM card, IMEI, and network connection method) and uploads it to the command and control (C&C) server.
Next, it proceeds to collect and upload various types of application data, including location data, contacts, call history, SMS history, and more. Targeted applications include Viber, Voxer, Telegraph, Gmail, Twitter, QQMail, and WhatsApp. In some cases, Yahoo Mail, Outlook, NetEase Mail Master, Skype, Facebook, and WeChat were also targeted.
The implant appears to lack C&C communication capabilities, which led Citizen Lab to the conclusion that it is in a rudimentary state of development.
As part of the campaign, the threat actor sent four malicious links pointing to Android exploits, none of which appear to share infrastructure or code similarities with the iOS payloads. Referred to as MOONSHINE, the Android exploit and malware kit had not been publicly described previously.
If the target accesses the malicious link using a Chrome-based Android browser, the webpage they are directed to attempts to open the exploit URL inside the Facebook app’s built-in Chrome-based web browser.
If an Android Facebook User-Agent header was used when opening the exploit URL, MOONSHINE would check if the Chrome version was vulnerable to any of eight different Chrome exploits (all are patched in the latest Chrome version). Four of these were copied from exploit code posted by security researchers.
MOONSHINE provides rootless exploitation capabilities by leveraging Android apps with built-in browsers that request sensitive permissions. The final payload in these attacks, however, was a spyware called Scotch, a modular Java application that uses the WebSocket protocol for C&C communication.
While the Scotch payload has limited espionage features (can grab device information and upload files from the device), it does download additional plugins that expand its functionality. Citizen Lab analyzed two of them, designed to steal SMS messages, address books and call logs, take screenshots, display notifications, and leverage the device’s camera, microphone, and GPS to spy on users.
“[The Uyghur and Tibetan] communities have experienced digital espionage threats for over a decade and previous reports often find the same operators and malware tool kits targeting them. However, the level of threat posed by POISON CARP and the linked campaigns are a game changer. These campaigns are the first documented cases of iOS exploits and spyware being used against these communities,” Citizen Lab concludes.