Cybercriminals Target Dalai Lama’s Office with WhatsApp Link Attack

Researchers from Citizen Lab have uncovered a new targeted cybercrime campaign aimed at owners of iOS and Android devices. The hacker group, dubbed Poison Carp by the researchers, sent malicious links to victims via the WhatsApp messenger. When the link was clicked, spyware was silently installed on the device through browser vulnerabilities.

The malicious campaign ran from November 2018 to May 2019. The group’s victims included high-ranking members of Tibetan communities, including the private office of the Buddhist leader, the Dalai Lama. Attackers contacted each victim individually on WhatsApp, posing as employees of non-governmental organizations, journalists, or other fictitious individuals. They would first engage the victim in conversation before sending the malicious link.

On Android devices, the spyware was installed using eight known browser vulnerabilities, while on iPhones, a single vulnerability was exploited. At least four of the exploits were sourced from GitHub.

The malware, previously unknown and named MOONSHINE, gave attackers full control over the device. It allowed them to extract data such as text messages, call logs, contacts, and location information; access the microphone and camera; extract data from Viber, Telegram, Gmail, Twitter, and WhatsApp; and install additional malicious plugins.

The Poison Carp operation overlaps with two other campaigns targeting users in China belonging to the Uyghur ethnic group. Given the similarities between the three campaigns, researchers concluded that the Chinese government is likely behind them.