Information security experts from Facebook spoke about the Chinese hacker group Earth Empusa (also known as Evil Eye), which carried out malicious operations using the Facebook platform.
According to experts, the group attacked activists, journalists and dissidents who come from the Xinjiang Uygur Autonomous Region of China and live in Turkey, Kazakhstan, the United States, Syria, Canada and Australia. Attackers used a variety of cyber-espionage techniques to identify victims and infect their devices with tracking malware.
Earth Empusa's malicious operations were well-funded, well-funded, and concealed. The hackers used Facebook primarily to spread links to malicious sites, not the malware itself. From time to time, these operations were suspended in response to countermeasures by both Facebook itself and other companies.
Experts identified the following tactics, techniques and procedures (TTP) used by the group:
- Selective targeting and exploit protection: Hackers carefully concealed their activities and protected exploits by infecting iOS malware only to users who met certain technical criteria (IP addresses, OS, browser, country and language settings);
- Compromise and fake news sites: Attackers have faked the domains of popular Uyghur and Turkish news sites. They also hacked legitimate resources frequently visited by victims as part of watering hole attacks. Some of these pages contained malicious Javascript code, reminiscent of the already known exploits that install malware for iOS called INSOMNIA;
- Social engineering: the group faked accounts on the social network Facebook, allegedly belonging to journalists, activists, human rights defenders;
- Using third-party app stores: Attackers have created at least one fake Android app store through which they distribute apps containing ActionSpy or PluginPhantom malware;
- Malware development outsourcing: The group used several malware families created by different developers.