MOONSHINE: Evolving Android Surveillanceware by Chinese APT POISON CARP To Target Tibetans and Uyghurs

What is MOONSHINE Android surveillanceware?

MOONSHINE is a family of Android surveillanceware that is attributed to the Chinese-backed hacking group POISON CARP, also known as Evil Eye and Earth Empusa. The spyware has been observed to target Tibetan and Uyghur communities in the name of keeping track of religious extremism or separatism.

MOONSHINE was first discovered in 2019 by Citizen Lab as part of a campaign targeting Tibetans. In November 2022, Lookout Threat Intelligence Lab researchers published its findings on updated variants of the spyware that was aimed at the Uyghur community.

Lookout observed that the deployment goal of MOONSHINE is to collect extensive data on its target. These can include call records, contacts, SMS, and WeChat data from Tencent wcdb database files. The spyware can also access the microphone and camera, as well as retrieve files from a location specified by the C2.

Early 2019 variants required excessive permissions and attempted to replace native libraries to collect data, and had artifacts suggesting that the app was still under development. In the second half of 2022, Lookout researchers acquired more than 50 unique samples that required fewer permissions and file replacements, and were trojanized versions of popular social media platforms like WhatsApp or Telegram, or Muslim-related apps.

Lookout’s analysis was published alongside a discovery of the Android variant of BadBazaar, a surveillanceware family that was also targeting Uyghurs. In 2023, Lookout also analyzed an iOS version of BadBazaar that was targeting the Tibetan community.

Technical analysis of MOONSHINE

In 2019, Citizen Lab reported an Android exploit targeting Tibetan activist groups members using spear phishing messages through WhatsApp. This exploit, and the associated surveillance tool that was installed on compromised devices, was dubbed MOONSHINE and attributed to the APT group, POISON CARP. The exploit followed a multi-stage installation process where the initial link sent to a targeted victim downloaded an executable that installed subsequent modules, named Whisky, Bourbon, and Scotch, to overwrite legitimate native libraries in popular apps like Facebook and WeChat. These modules allowed the attacker to maintain persistence by establishing communications with a C2 server through web sockets and initiate surveillance capabilities on the exploited device.

Early campaigns (early 2019)

Shortly after Citizen Lab’s disclosure, Lookout researchers discovered app-based Android surveillance tooling, which was acquired in early 2019, that did not exploit the device. Instead they used a slightly modified version of “libbourbon.so” to extract and run the “scotch.jar” payload responsible for performing surveillance activities. The names of both the native library file and the payload were identical to MOONSHINE, and many of the same indicators of compromise could be found in both implementations.Many of these early variants requested extensive permissions and appeared to be under development. However, some requiring fewer permissions introduced characteristics of the “Whisky” stage to the Scotch module, attempting to overwrite the same native library files in popular messaging apps like Facebook, QQ, or WeChat.

2022 Uyghur-targeting campaigns

Since July 2022, Lookout researchers have discovered more than 50 unique samples of MOONSHINE that differ from the earlier variants. The rate at which new samples are deployed indicates these campaigns are ongoing. The majority of these samples are trojanized versions of popular social media platforms, like WhatsApp or Telegram, or trojanized versions of Muslim cultural apps, Uyghur-language tools, or prayer apps.

Our MOONSHINE samples were acquired from multiple Uyghur-language communication channels, some boasting hundreds of members. Many of the apps shared within these channels were posted in response to requests for app suggestions, such as Android apps that provided offline map access. Occasionally, users would share an app with no context, but many attempted to legitimize their post with comments like, “This is the application I use,” or, “I have an app [that is] very convenient to use in Turkey. I don't know about other countries; try it.”

We believe that some of the malware mentioned may be Telegram channels occasionally discuss surveillance apps that may have been shared through the channel as well as other Uyghur-language accounts that have been accused of being “controlled by Chinese state surveillance operators.” More commonly, though, users seem willing to download apps shared by others within the channel.

Capabilities

The source code for these new trojanized apps is nearly identical to that of the legitimate app they pretend to be, with the exception that it loads a native library, “libout.so.” This native library functions similarly to the “libbourbon.so” library in the 2020 sample of MOONSHINE. It extracts and loads the “scotch.jar” surveillance payload to a directory named “app_sikhywis_ca55200e” and acquires C2 details for retrieving secondary modules. C2 operations are performed via websocket at a domain and port acquired by decrypting an XOR-encrypted series of bytes using a key derived from the last 4 bytes of the “libout.so” file.

The app-based MOONSHINE acquires the secondary modules, “bourbon.jar” and “icecube.jar,” mentioned in the Citizen Lab report. Newer variants developed in late 2022 introduce additional modules, “cpcom.jar” and “salt.jar.” All surveillance capabilities are implemented within these five modules.

The specified C2 infrastructure is encrypted and stored in a SharedPreferences XML file named, “8B14B755-C161-4804-A62B-8776315E07CD.xml.” Additional infrastructure may be specified by the C2 and added to this file for use by the malware after it has been initialized. A decryption method called “deserialize” Base64 decodes the configuration string and uses a hard coded AES encryption key to decrypt the resulting value. The decrypted value is a GZIP formatted string, which is unzipped to return a JSON array that is used by the malware client.

Decrypting the string returns a list of modules to be used by the scotch app, as well as the C2 domain and port for acquiring these modules and performing C2 operations.

Once the malware client has acquired the C2 infrastructure, it initiates a web socket and establishes a connection with the C2. The malware client collects and sends extensive details about the device, including network activity, whether the device is rooted and the user’s IP address.

Two parameters, “whisky_id” and “score,” are also transmitted to the C2 during the client’s initial connection. The “whisky_id” value is a unique identifier for the device based on device information and its SD card. The “score” parameter is a numerical representation of how vulnerable the device is to surveillance. A point value is assigned for each permission granted to the malware client.

While previous variants of the MOONSHINE client attempted to gain persistence and access to extensive permissions by exploiting other apps by replacing their native libraries, these latest samples neither request extensive permissions from the user upon installation nor do they attempt to replace the native library files in any messaging apps. The “score” parameter appears to be some kind of indicator to allow the threat actor to decide how to proceed with the targeted device. After establishing its connection with the C2, the client is able to receive commands from the server to perform a variety of functions, depending on the score generated for the device. The malware client is capable of:

• Call recording
• Contact collection
• Retrieving files from a location specified by the C2
• Collecting device location data
• Exfiltrating SMS messages
• Camera capture
• Microphone recording
• Establishing a SOCKS proxy
• Collecting WeChat data from Tencent wcdb database files

Communications are sent over a secure websocket, and additionally encrypted before transmission using a custom method named “serialize()” similar to that of the one used to encrypt the SharedPreferences configuration file.

In earlier variants of MOONSHINE, commands were structured as uppercase, underscore-separated descriptions of the surveillance feature in use: “GET_CALLLOG,” “DEV_INFO,” etc. The latest versions of MOONSHINE now use websocket “groups” to classify the kind of surveillance capability being reported or commanded, and a “command” to further specify the actions being taken with that feature. For example, the C2 may request the malware client to perform some function with the compromised device’s camera with “list” or “capture”. If the command “list” is received, the client sends a list of all cameras on the device to the C2. If “capture” is received, the malware begins recording with the device camera.

Infrastructure

All MOONSHINE samples connect to administrator panels similar to those shown in the 2019 Citizen Lab report. These panels use domain names hosted by free dynamic DNS services. Unlike early panels, however, all recent panels are named “SCOTCH ADMIN” exclusively.

We were able to obtain the number of device IDs stored in the C2 server database, along with the unique whisky_id, the number of items exfiltrated from device contacts, call log, location, and SMS, and an alias if one was given to the device. A handful of these devices are assigned the alias “test.” Many have not been assigned aliases, while those that do follow one of the following formats: “\d-real”, “A-\d”, “t\d”, “t\d yyyy-mm-dd”

At the time of reporting, there are currently 635 devices logged across three “SCOTCH ADMIN” panels with timestamps indicating continued surveillance.

Attribution

Previous reporting on campaigns of POISON CARP, also known as Evil Eye and Earth Empusa, has indicated a suspected link between the Chinese government and the threat actor. In their report from March 2021, Facebook found specific connections between two Android-targeted POISON CARP malware families, PluginPhantom and ActionSpy, and the Chinese software development companies Beijing Best United Technology Co., Ltd. (Best Lh) and Dalian 9Rush Technology Co., Ltd. (9Rush).

The 2022 MOONSHINE samples contain some details within the source code indicating the developers are likely Chinese speaking. These include specific checks for whether the victim device is using a Chinese telecom, and relying on the popular Chinese search engine Baidu and a hardcoded Chinese IP address, 223.5.5.5 to check for network connectivity. Additionally, the server-side API includes documentation and inline comments written in simplified Chinese.

While Lookout researchers could not connect the malware client or infrastructure to a specific technology company, the malware client is a well-built and full-featured surveillance tool that would have likely required substantial resources. This seems to suggest that some kind of professional development company or collective was responsible for its production.

Indicators of Compromise

SHA1 of APKs

8afe90ebb4666565891fcc33e12fad410996d4d1

ac235440a738938c2218e2608ea229dd3584701b

437f5e0aa400372a6e98de7aca32f6cf916040a0

16125c5ecd29bb1d359fdbbfc127341cafbae6bf

79fb6f43885df2a058a7aa9d60c88db6b44226dd

66b0972bfd0786baa0076575db19b22c56d871ad

047dee43dda8c09c46773d323968886d9af6b49d

aa4eede30b2aa975f691b6d002ca047520f2c86f

724f41af93abcc7c7625a8814e43398ccbbddf2c

26b2bf522a6759390a7155250ddb3ee3512bec7a

02977d77c801136da581864152b80a9d6568651e

12097cf566fbc31b94adf2d2a3c25617609faf68

75ffd57282d23326430bc3ad789a7f3f4e643027

f721db78c57993bed75af77e30ba284b314de05c

9a120fce59a51c09d23b5f7274c7c0e22f2747b5

9eafa52a74741bb738c20823d4b78035149ea5e0

6f9203d950ed18da7251aa6c4257921b04852fb5

12202d87b30bb92bf3f52eae6e93308a1829f988

38be047b29b3ac19e74b9943f981b00f87a2e141

f70e6d6240ee8405214d9690c1d9b55c1c7d80c3

9541853c7e85cb1789945e4f9f185247d95c202d

47c070b0244633536b2731062f22a86238b8d649

e825e6f09ff7479d45fc35bbd6e0d662f93e93c7

509cf8ccdd336ede1e8a0dcaafcec3a981c9bf12

fce2190c1bd0d65d26a134980ab339af160b5880

5cefce22565ffb69459fecbeeaea531ce053bd2b

5b32db300ad7ed54149df3234d7b9782d762c1bd

8790a91c4dd2870734eb1e7d49d2d5c24a41925f

69bb842270dcfe777e50b81faf72962a2456062c

a443e448416375fb777b2523f5efd4addabc1ab3

1fe3d295c3525b3acb7498df9b72dc80c6ca08f5

166958184998ad53152634cb6a339310ee22d0d8

8ff73d504bba6fedf923f5f2f9b54fbdd4c53a22

d8f360971d04c3b623f1d7296339e1702142f135

dc692fc09316d9af6e299f15f22e5368ffc32a47

1ed74af5ec4c53e1b1090decf2c5c92907ff83ac

ab0248870abf3f2bb750f92e8af3da97b71ca74a

37cad98b7810d8fa205b3ce901a405a575ce2bc3

91bedfd5bd8f7a071c9024890a699fb6566e9ae5

5c04e843f797a08b0754821e17eb773919ec3622

fac660cb450a39cc1d422323aaf654c2bd23415d

c57bb036b996d8afdb0c6867b7c65970f69207be

23c2aa2059487f1960e8bdb0c4cfc8808bc6733b

8bd9825c07f4a4e0e7f537b6ea33ddfa4e1fff49

f3ae46ac2465e09b7ff54d55540bd6f0e567759b

8c3051e83d2448046443692e070c81d3ba6b7be0

55db0f43e9a72431b627c3f9752d24b3d2364555

be95c5ef09697412f39a7fa85e13e79a21c87826

1fead5107758b6d284ce908bc221f90e6ac37744

df42714a12957d239bc09b2306063a4728cf403f

f31c0f9cc5b2d31e465d138f928835b5fc9f4daf

3b18385cf280477c3fb603617eb242d39b6cc248

eab8863ce4a9c9c4fcc02d4ce170bbe2cd6602fb

4e8e5571d60f029ebc2b2017931f4f70279d2036

13c39737329aa5bb4ed95b38c70b857677949ff3

f0cc8ee3ce1d835a825103672c9fcaf874c3a965

5b76cd64b3463f7209e3771c131b29f247fa0205

c58ff582349fb8406cb98194c44393c000b0eb1d

Infrastructure

msgupdate.nsupdate[.]info

kuyrfikuhylkjliuyhiuy.nsupdate[.]info