Spyware Operation Aims at Chinese Minority Groups Through WeChat

In recent developments, a potential threat group affiliated with the Chinese state is exploiting vulnerabilities found in popular messaging applications to deliver spyware across devices commonly utilized by ethnic minorities, specifically targeting groups repressed by the Chinese government. This operation highlights the ongoing concerns regarding state-sponsored cyber activities.

Trend Micro’s research team identified this group, which they have named “Earth Minotaur.” This actor is reportedly utilizing the Moonshine exploit kit, along with a newly discovered backdoor that facilitates sustained surveillance. The primary focus of these operations appears to be individuals within the Tibetan and Uyghur communities. In 2022, the U.S. government accused China of perpetrating genocide and crimes against humanity against Uyghurs, adding urgency to the awareness of these cyber threats.

The Moonshine exploit kit was first documented in 2019, and researchers recently reported an enhanced version that showcases improved capabilities and robust defenses against security assessments. Earth Minotaur is harnessing this exploit kit to deploy a backdoor known as “DarkNimbus” on both Android and Windows platforms, specifically targeting the widely used WeChat messaging service.

A notable feature of the Moonshine kit is its ability to leverage vulnerabilities found in Chromium-based browsers, thereby executing payloads aimed at exfiltrating sensitive data from compromised devices. Applications such as Google Chrome, in addition to messaging platforms that utilize in-app browsers like Line, QQ, and Zalo, are particularly vulnerable to these attacks.

The initial breach mechanism involves sending carefully crafted messages that entice recipients to click on malicious links, often disguised as legitimate governmental announcements or news related to China. In executing their social engineering tactics, operators may impersonate various personas in chat conversations to enhance the likelihood of victim engagement.

Once victims engage with the malicious links, they are redirected to one of over 55 Moonshine servers, resulting in the installation of the DarkNimbus backdoor. To further disguise the malicious intent, the compromised links often appear harmless, ostensibly connecting users to content related to announcements or cultural displays pertinent to Tibetan or Uyghur communities.

The DarkNimbus backdoor serves a dual purpose by gathering device specifics, installed applications, geolocation data, and pilfering personal information including contacts and messaging content. It is capable of recording calls, capturing photos, and executing arbitrary commands, rendering it a powerful tool for surveillance.

Furthermore, the revamped Moonshine exploit kit incorporates the CVE-2020-6418 exploit, a type confusion vulnerability within the V8 JavaScript engine that was previously weaponized and patched by Google in early 2020. This integration underscores the evolving nature of threats related to state-sponsored cyber activities, necessitating heightened vigilance and proactive measures from organizations.

Within the framework of the MITRE ATT&CK Matrix, tactics potentially employed in this coordinated effort include initial access through social engineering, persistence via the deployment of backdoors, and the exploitation of browser vulnerabilities for privilege escalation. This incident highlights the escalating risk landscape and the need for organizations to bolster their cybersecurity strategies against such sophisticated threats.