MOONSHINE: Evolving Android Surveillanceware by Chinese APT POISON CARP To Target Tibetans and Uyghurs
- MOONSHINE is a surveillanceware family attributed to the Chinese hacking group POISON CARP.
- In November 2022, Lookout published its in-depth analysis of MOONSHINE, which was previously discovered by Citizen Lab.
- MOONSHINE, alongside BadBazaar, another malware family attributed to Chinese APT group APT15, have been known to target Tibetan and Uyghur minorities within China. Lookout has been tracking BadBazaar since November 2022..
- Lookout Mobile Endpoint Security customers are protected.
Contact us if you have been targeted or would like to consult with our research team on mobile threats.
What is MOONSHINE Android surveillanceware?
MOONSHINE is a family of Android surveillanceware that is attributed to the Chinese-backed hacking group POISON CARP, also known as Evil Eye and Earth Empusa. The spyware has been observed to target Tibetan and Uyghur communities in the name of keeping track of religious extremism or separatism.
MOONSHINE was first discovered in 2019 by Citizen Lab as part of a campaign targeting Tibetans. In November 2022, Lookout Threat Intelligence Lab researchers published its findings on updated variants of the spyware that was aimed at the Uyghur community.
Lookout observed that the deployment goal of MOONSHINE is to collect extensive data on its target. These can include call records, contacts, SMS, and WeChat data from Tencent wcdb database files. The spyware can also access the microphone and camera, as well as retrieve files from a location specified by the C2.
Early 2019 variants required excessive permissions and attempted to replace native libraries to collect data, and had artifacts suggesting that the app was still under development. In the second half of 2022, Lookout researchers acquired more than 50 unique samples that required fewer permissions and file replacements, and were trojanized versions of popular social media platforms like WhatsApp or Telegram, or Muslim-related apps.
Lookout’s analysis was published alongside a discovery of the Android variant of BadBazaar, a surveillanceware family that was also targeting Uyghurs. In 2023, Lookout also analyzed an iOS version of BadBazaar that was targeting the Tibetan community.
Technical analysis of MOONSHINE
In 2019, Citizen Lab reported an Android exploit targeting Tibetan activist groups members using spear phishing messages through WhatsApp. This exploit, and the associated surveillance tool that was installed on compromised devices, was dubbed MOONSHINE and attributed to the APT group, POISON CARP. The exploit followed a multi-stage installation process where the initial link sent to a targeted victim downloaded an executable that installed subsequent modules, named Whisky, Bourbon, and Scotch, to overwrite legitimate native libraries in popular apps like Facebook and WeChat. These modules allowed the attacker to maintain persistence by establishing communications with a C2 server through web sockets and initiate surveillance capabilities on the exploited device.
Early campaigns (early 2019)
Shortly after Citizen Lab’s disclosure, Lookout researchers discovered app-based Android surveillance tooling, which was acquired in early 2019, that did not exploit the device. Instead they used a slightly modified version of “libbourbon.so” to extract and run the “scotch.jar” payload responsible for performing surveillance activities. The names of both the native library file and the payload were identical to MOONSHINE, and many of the same indicators of compromise could be found in both implementations.Many of these early variants requested extensive permissions and appeared to be under development. However, some requiring fewer permissions introduced characteristics of the “Whisky” stage to the Scotch module, attempting to overwrite the same native library files in popular messaging apps like Facebook, QQ, or WeChat.
2022 Uyghur-targeting campaigns
Since July 2022, Lookout researchers have discovered more than 50 unique samples of MOONSHINE that differ from the earlier variants. The rate at which new samples are deployed indicates these campaigns are ongoing. The majority of these samples are trojanized versions of popular social media platforms, like WhatsApp or Telegram, or trojanized versions of Muslim cultural apps, Uyghur-language tools, or prayer apps.
Our MOONSHINE samples were acquired from multiple Uyghur-language communication channels, some boasting hundreds of members. Many of the apps shared within these channels were posted in response to requests for app suggestions, such as Android apps that provided offline map access. Occasionally, users would share an app with no context, but many attempted to legitimize their post with comments like, “This is the application I use,” or, “I have an app [that is] very convenient to use in Turkey. I don't know about other countries; try it.”
We believe that some of the malware mentioned may be Telegram channels occasionally discuss surveillance apps that may have been shared through the channel as well as other Uyghur-language accounts that have been accused of being “controlled by Chinese state surveillance operators.” More commonly, though, users seem willing to download apps shared by others within the channel.
The source code for these new trojanized apps is nearly identical to that of the legitimate app they pretend to be, with the exception that it loads a native library, “libout.so.” This native library functions similarly to the “libbourbon.so” library in the 2020 sample of MOONSHINE. It extracts and loads the “scotch.jar” surveillance payload to a directory named “app_sikhywis_ca55200e” and acquires C2 details for retrieving secondary modules. C2 operations are performed via websocket at a domain and port acquired by decrypting an XOR-encrypted series of bytes using a key derived from the last 4 bytes of the “libout.so” file.
The app-based MOONSHINE acquires the secondary modules, “bourbon.jar” and “icecube.jar,” mentioned in the Citizen Lab report. Newer variants developed in late 2022 introduce additional modules, “cpcom.jar” and “salt.jar.” All surveillance capabilities are implemented within these five modules.
The specified C2 infrastructure is encrypted and stored in a SharedPreferences XML file named, “8B14B755-C161-4804-A62B-8776315E07CD.xml.” Additional infrastructure may be specified by the C2 and added to this file for use by the malware after it has been initialized. A decryption method called “deserialize” Base64 decodes the configuration string and uses a hard coded AES encryption key to decrypt the resulting value. The decrypted value is a GZIP formatted string, which is unzipped to return a JSON array that is used by the malware client.
Decrypting the string returns a list of modules to be used by the scotch app, as well as the C2 domain and port for acquiring these modules and performing C2 operations.
Once the malware client has acquired the C2 infrastructure, it initiates a web socket and establishes a connection with the C2. The malware client collects and sends extensive details about the device, including network activity, whether the device is rooted and the user’s IP address.
Two parameters, “whisky_id” and “score,” are also transmitted to the C2 during the client’s initial connection. The “whisky_id” value is a unique identifier for the device based on device information and its SD card. The “score” parameter is a numerical representation of how vulnerable the device is to surveillance. A point value is assigned for each permission granted to the malware client.
While previous variants of the MOONSHINE client attempted to gain persistence and access to extensive permissions by exploiting other apps by replacing their native libraries, these latest samples neither request extensive permissions from the user upon installation nor do they attempt to replace the native library files in any messaging apps. The “score” parameter appears to be some kind of indicator to allow the threat actor to decide how to proceed with the targeted device. After establishing its connection with the C2, the client is able to receive commands from the server to perform a variety of functions, depending on the score generated for the device. The malware client is capable of:
- Call recording
- Contact collection
- Retrieving files from a location specified by the C2
- Collecting device location data
- Exfiltrating SMS messages
- Camera capture
- Microphone recording
- Establishing a SOCKS proxy
- Collecting WeChat data from Tencent wcdb database files
Communications are sent over a secure websocket, and additionally encrypted before transmission using a custom method named “serialize()” similar to that of the one used to encrypt the SharedPreferences configuration file.
In earlier variants of MOONSHINE, commands were structured as uppercase, underscore-separated descriptions of the surveillance feature in use: “GET_CALLLOG,” “DEV_INFO,” etc. The latest versions of MOONSHINE now use websocket “groups” to classify the kind of surveillance capability being reported or commanded, and a “command” to further specify the actions being taken with that feature. For example, the C2 may request the malware client to perform some function with the compromised device’s camera with “list” or “capture”. If the command “list” is received, the client sends a list of all cameras on the device to the C2. If “capture” is received, the malware begins recording with the device camera.
All MOONSHINE samples connect to administrator panels similar to those shown in the 2019 Citizen Lab report. These panels use domain names hosted by free dynamic DNS services. Unlike early panels, however, all recent panels are named “SCOTCH ADMIN” exclusively.
We were able to obtain the number of device IDs stored in the C2 server database, along with the unique whisky_id, the number of items exfiltrated from device contacts, call log, location, and SMS, and an alias if one was given to the device. A handful of these devices are assigned the alias “test.” Many have not been assigned aliases, while those that do follow one of the following formats: “\d-real”, “A-\d”, “t\d”, “t\d yyyy-mm-dd”
At the time of reporting, there are currently 635 devices logged across three “SCOTCH ADMIN” panels with timestamps indicating continued surveillance.
Previous reporting on campaigns of POISON CARP, also known as Evil Eye and Earth Empusa, has indicated a suspected link between the Chinese government and the threat actor. In their report from March 2021, Facebook found specific connections between two Android-targeted POISON CARP malware families, PluginPhantom and ActionSpy, and the Chinese software development companies Beijing Best United Technology Co., Ltd. (Best Lh) and Dalian 9Rush Technology Co., Ltd. (9Rush).
The 2022 MOONSHINE samples contain some details within the source code indicating the developers are likely Chinese speaking. These include specific checks for whether the victim device is using a Chinese telecom, and relying on the popular Chinese search engine Baidu and a hardcoded Chinese IP address, 126.96.36.199 to check for network connectivity. Additionally, the server-side API includes documentation and inline comments written in simplified Chinese.
While Lookout researchers could not connect the malware client or infrastructure to a specific technology company, the malware client is a well-built and full-featured surveillance tool that would have likely required substantial resources. This seems to suggest that some kind of professional development company or collective was responsible for its production.
Indicators of Compromise
SHA1 of APKs
Identify and Prevent Threats with Lookout Threat Advisory
Stop Cyberattacks Before They Start With Industry-Leading Threat Intelligence.
Lookout Threat Advisory offers advanced mobile threat intelligence, leveraging millions of devices in our global network and top security research insights to protect your organization.