Earth Empusa targets minority group with Android ActionSpy spyware

Pierluigi Paganini June 15, 2020

The Earth Empusa threat group is distributing new Android spyware, dubbed ActionSpy, through watering hole attacks to targets Turkic minority group.

Researchers warn that the Earth Empusa (aka POISON CARP/Evil Eye) threat group is targeting the Uyghurs, a Turkic minority ethnic group originating from and culturally affiliated with the general region of Central and East Asia, with new Android spyware dubbed ActionSpy.

The threat actors are spreading the malware through watering hole attacks targeting Tibet, Turkey, and Taiwan,

The malware was first spotted in April 2020, but experts believe the ActionSpy spyware has been active at least since 2017.

The spyware leverages a sequence of iOS exploits in the wild since 2016, since April 2020 ActionSpy is being spread via several pages distributed in the wild via phishing emails disguised as a download page of an Android video application that is popular in Tibet.

“ActionSpy, which may have been around since 2017, is an Android spyware that allows the attacker to collect information from the compromised devices,” reads the report published by Trend Micro. “It also has a module designed for spying on instant messages… and collecting chat logs from four different instant messaging applications.”

Attackers injected the malicious code to deploy the spyware in websites, some of them were actually fake. One of the pages used to deliver the malicious code replicated news pages from the World Uyghur Congress website.

The pages were injected with a script to load the cross-site scripting framework BeEF used to selectively deliver their malicious script.

Unfortunately, Trend Micro researchers were not able to detect any script while accessing the phishing pages employed in the watering hole attacks.

Earth Empusa ActionSpy malware

“In addition, we have also identified a news website and political party website in Turkey that have been compromised and injected with the same attack. In a more recent development, we found the same injection on a university website as well as a travel agency site based in Taiwan in March 2020.” continues the analysis. “These developments have led as to believe that Earth Empusa is widening the scope of their targets.”

The configuration of the ActionSpy is encrypted by DES and the decryption key is generated in native code, it includes the C&C server address. The traffic between C&C and ActionSpy is encrypted by RSA and transferred via HTTP.

Every 30 seconds, ActionSpy will collect basic device information, including IMEI, phone number, manufacturer, battery status, and send it to the C&C server. The server, in turn, may send some commands to the compromised device.

ActionSpy supports multiple modules that allow the spyware to implement a broad range of capabilities, including collect device location, contact info, call logs and SMS messages, make a device connect or disconnect to Wi-Fi, take photos with the camera and screenshots of the device and get chat logs from messaging apps (WhatsApp, China messaging services like QQ and WeChat, and Japanese messaging tool Viber).

ActionSpy prompts users to turn on the Android Accessibility service claiming that it is a memory garbage cleaning service.

Upon enabling the Accessibility service, ActionSpy will monitor “AccessibilityEvents” on the device.

“We have observed these injections on multiple Uyghur-related sites since the start of 2020. In addition, we have also identified a news website and political party website in Turkey that have been compromised and injected with the same attack. In a more recent development, we found the same injection on a university website as well as a travel agency site based in Taiwan in March 2020.” concludes the report. “These developments have led as to believe that Earth Empusa is widening the scope of their targets.”

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – Earth Empusa, cybersecurity)

[adrotate banner=”5″]

[adrotate banner=”13″]



you might also like

leave a comment