Poison Carp cyber-espionage group targeting Tibetan officials with mobile malware

News by Doug Olenick

Threat group Poison Carp uses Android exploits to plant spyware on devices operated by various Tibetan leaders

A newly designated threat group dubbed Poison Carp has been found using Android exploits to plant spyware on devices operated by various Tibetan leaders.

The attacks were uncovered by The Citizen Lab, which found Poison Carp using a mix of eight Android browser exploits and one Android spyware kit, along with an iOS exploit chain and iOS spyware. The browser exploits were gathered from several sources, and while no zero days were involved, the cybergang did utilise unpatched malware or slightly modified versions of Chrome exploit code published on Qihoo 360’s Vulcan Team’s personal GitHub page and by a Google Project Zero member on the Chrome Bug Tracker.

"This campaign is the first documented case of one-click mobile exploits used to target Tibetan groups, and reflects an escalation in the sophistication of digital espionage threats targeting the community," The Citizen Lab wrote.

The campaign was initiated in November 2018 and consisted of 15 intrusion attempts against staffers in the Private Office of His Holiness the Dalai Lama, the Central Tibetan Administration, the Tibetan Parliament and various Tibetan human rights groups. The attack involved some very creative social engineering, The Citizen Lab reported. Two more attacks took place in April and May 2019.

For each intrusion attempt, the attackers created fake WhatsApp personas, pretending to be journalists, NGO staff, volunteers to Tibetan human rights groups, and tourists. All used WhatsApp phone numbers originating in Hong Kong.

"Throughout the campaign, Poison Carp demonstrated significant effort in social engineering. The personas and messages were tailored to the targets, and Poison Carp operators actively engaged in conversations and persistently attempted to infect targets. Overall, the ruse was persuasive: in eight of the 15 intrusion attempts, the targeted persons recall clicking the exploit link. Fortunately, all of these individuals were running non-vulnerable versions of iOS or Android, and were not infected," the report stated.

In one case a person pretending to be from Amnesty International conducted a conversation and at one point slipped in a link that led to an iOS exploit. In this case the exploit did not work, as the target’s iPhone was not vulnerable, but once the attacker realised the first attempt failed, they tried again linking to other exploit kits.

The Android campaign, dubbed Moonshine, does not share any infrastructure or code with the iOS attacks, but The Citizen Lab believes Poison Carp is behind both.

Once the target is convinced to open the malicious link, sent via a WhatsApp conversation, the malware checks to see if the version of Chrome being run by the device is susceptible to one of the eight Chrome exploits in Poison Carp’s toolbox. Moonshine operates in a stealthy fashion by exploiting popular Android apps with built-in browsers that also request high-level permissions from the user.

"Moonshine obtains persistence by overwriting an infrequently used shared library (.so) file in one of these apps with itself. When a targeted user opens the legitimate app after exploitation, the app loads the shared library into memory, which causes the spyware to activate," the report said.

The most powerful spyware deployed by Moonshine is Scotch, which uses a WebSocket protocol to connect to its command and control server. Scotch itself does not dig out much information, but once it communicates with the controls server, additional malicious plugins are downloaded that can exfiltrate SMS text messages, address books and call logs. Other tricks include spying on targets through their phones’ camera, microphone and GPS.

This article was originally published on SC Media US.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews