Selective targeting and exploit protection: This group took steps to conceal their activity and protect malicious tools by only infecting people with iOS malware when they passed certain technical checks, including IP address, operating system, browser and country and language settings.
Compromising and impersonating news websites:This group set up malicious websites that used look-alike domains for popular Uyghur and Turkish news sites. They also appeared to have compromised legitimate websites frequently visited by their targets as part of watering hole attacks. A watering hole attack is when hackers infect websites frequently visited by intended targets to compromise their devices. Some of these web pages contained malicious javascript code that resembled previouslyreportedexploits, which installed iOS malware known as INSOMNIA on people's devices once they were compromised.
Social engineering:This group used fake accounts on Facebook to create fictitious personas posing as journalists, students, human rights advocates or members of the Uyghur community to build trust with people they targeted and trick them into clicking on malicious links.
Using fake third party app stores:We found websites set up by this group that mimic third-party Android app stores where they published Uyghur-themed applications, including a keyboard app, prayer app, and dictionary app. These apps were trojanized (contained malware that misled people of its true intent) with two Android malware strains -ActionSpyor PluginPhantom.
Outsourcing malware development:We've observed this group use several distinct Android malware families. Specifically, our investigation and malware analysis found that Beijing Best United Technology Co., Ltd. (Best Lh) and Dalian 9Rush Technology Co., Ltd. (9Rush), two Chinese companies, are the developers behind some of the Android tooling deployed by this group. Our assessment of one of them benefited from research by FireEye, a cybersecurity company. These China-based firms are likely part of a sprawling network of vendors, with varying degrees of operational security.
Industry tracking: Our industry peers have been tracking parts of this activity as being driven by a single threat actor broadly known as Earth Empusa, or Evil Eye, or PoisonCarp. Our investigation confirmed that the activity we are disrupting today closely aligns with the first two - Earth Empusa or Evil Eye. While PoisonCarp shares some TTPs including targeting and use of some of the same vendor-developed malware, our on-platform analysis suggests that it is a separate cluster of activity.
Attachments
Original document
Permalink
Disclaimer
Facebook Inc. published this content on 24 March 2021 and is solely responsible for the information contained therein. Distributed by Public, unedited and unaltered, on 24 March 2021 18:02:00 UTC.
Meta Platforms, Inc. specializes in online social networking services. Net sales break down by activity as follows:
- operation of social networking, messaging, photo and video sharing platforms (98.6%): operation of the Facebook, Instagram, Messenger, Threads and WhatsApp platforms (3.98 billion monthly active users in 2023) ;
- sale of virtual and augmented reality products, software and devices (1.4%): virtual reality headsets (Meta Quest), connected screens (Facebook Portal), wearable devices, etc.
Net sales break down by source of income into advertising spaces (97.5%) and other (2.2%).
Net sales are distributed geographically as follows: the United States and Canada (39.2%), Asia-Pacific (26.8%), Europe (23.1%) and other (10.9%).
META PLATFORMS, INC. 
