The actor, POISON CARP, has been tied to multiple attacks on the mobile devices of senior member Tibetan group leaders. The attack begins with carefully crafted messages via the WhatsApp messaging platform coming from actors posing as journalists, NGO workers, tourists, and other legitimate business contacts.¹ The message often entices the user to click a link, which, in many cases, was shortened using bit.ly.

For iOS users, the shortened link would redirect users to www.msap[.]services (this link is intentionally disabled) where an iOS exploit chain resided targeting versions 11.0 through 11.4. Should the requesting iPhone’s User-Agent string reveal that they were running one of the vulnerable firmware versions, the URL returned a valid html page with two iframes. One iframe displayed a benign decoy webpage, whereas a second, invisible iframe would take users to another exploit page on a different website.¹ The iOS exploit was a WebKit JavaScriptCore exploit which allowed privilege escalation and enabled a spyware-like payload to run on the device. The application establishes contact with the C2 where it then begins targeting user information like make, model, phone number, IMEI, IMSI, ICCID, network method, and storage capacity. The device could then be remotely queried for a list of applications from which the actor would like to exfil data. Analysis concluded that many applications were already hardcoded into the implant application for retrieval. Some of those include but are not limited to Viber, Voxer, Telegram, Twitter, WhatsApp, Facebook, WeChat, Yahoo Mail, Gmail, Outlook, QQMail, and Skype.

The process for Android users is similar, starting with an enticing WhatsApp message which users are encouraged to click by various social engineering schemes. Targeted users have their UA string examined in order to determine how they accessed the site—whether they accessed it using a vulnerable browser version. For example, if a user accessed the server through Facebook using a webkit, and the User-Agent determined that the Chrome version was vulnerable, the exploit delivers and runs shellcode on the device that in-turn downloads a “Loader” (or ARMv7 ELF binary file), which it stores in (/data/data/com.facebook.katana/[NameOfBinary]) to maintain secrecy and persistence on the device. When the user invokes the legitimate Facebook application, it then reads the .so file into memory and kicks off the spyware installation and utilization. The malicious applications can then exfil sms, contacts, call logs, and invoke the device microphone and camera for exfil purposes.¹

Reference:

[1] https://for585.com/oneclickexploits