A Chinese hacking group has been found leveraging a new exploit chain in iOS devices to install a spyware implant targeting the Uyghur Muslim minority in China’s autonomous region of Xinjiang.
The findings, published by digital forensics firm Volexity, reveal that the exploit — named “Insomnia” — works against iOS versions 12.3, 12.3.1, and 12.3.2 using a flaw in WebKit that was patched by Apple with the release of iOS 12.4 in July 2019.
Volexity said the attacks were carried out by a state-sponsored hacking group it calls Evil Eye, the same threat actor that it said was behind a series of attacks against the Uyghurs last September following a bombshell disclosure by Google’s Project Zero team.
Watering Holes Attacks Targeting Uyghur Websites
The malware campaign previously exploited as many as 14 vulnerabilities spanning from iOS 10 all the way through iOS 12 over a period of at least two years via a small collection of malicious websites that were used as a watering hole to hack into the devices.
According to Volexity, Insomnia was loaded on the iOS devices of users using the same tactic, granting the attackers root access, thereby allowing them to steal contact and location information, and plaintext messages from various instant messaging and email clients, including Signal and ProtonMail.
In its report, the company said that in the aftermath of last year’s exposé, the Evil Eye actor removed malicious code from the compromised websites and took down its command-and-control (C2) server infrastructure, until it began observing “new activity across multiple previously compromised Uyghur websites” starting in January 2020.
It’s worth pointing out that the open-source browser engine WebKit is the basis for Safari and other third-party web browsers on iOS such as Google Chrome and Firefox due to restrictions imposed by Apple’s App Store Review Guidelines (Section 2.5.6).
“Volexity was able to confirm successful exploitation of a phone running 12.3.1 via the Apple Safari, Google Chrome, and Microsoft Edge mobile browsers,” the research team said.
The new watering hole attacks compromised six different websites (e.g., the Uyghur Academy website or akademiye[.]org), which, when visited, loaded the Insomnia implant on the device.
The Spyware Now targets ProtonMail and Signal
As for the Spyware, it appears to be an updated version of the implant detailed by Google’s Project Zero security group, but with support for HTTPS communication and added capabilities to transmit information about each app that’s installed on the device as well as exfiltrate data from secure email and messaging apps like ProtonMail and Signal.
“As noted in September 2019, Volexity suspected that the Evil Eye attackers had also targeted iPhones based on the attackers’ C2 servers going offline shortly after Project Zero’s findings were made public,” the researchers concluded.
“These more recent findings confirm the suspicion that the attackers were indeed likely the same. It can now be confirmed that in the past six months, Uyghur sites have led to malware for all major platforms, representing a considerable development and upkeep effort by the attackers to spy on the Uyghur population.”