Surveillance campaigns against Uyghurs and other Turkic ethnic minorities have been operational for years. Recently, Lookout researchers have discovered two ongoing surveillance campaigns targeting Uyghurs in the People’s Republic of China and abroad.
The BadBazaar Campaign
The first campaign introduces a novel Android surveillance malware named BadBazaar that shares infrastructure and TTPs with other known Uyghur-targeting adversaries and tools.
- The campaign was first discovered by Malware Hunter Team in late 2021, in which an English-Uyghur dictionary app was flagged as malware tied to Bahamut hackers by VirusTotal contributors.
- Researchers have tied the surveillance campaign to BadBazaar and found it leverages the same infrastructure and TTPs used by the Chinese hacking group APT15 (aka VIXEN PANDA).
- BadBazaar is capable of collecting data such as precise location, list of installed apps, call logs with geolocation data, contacts list, SMS, device information, WiFi information, and phone call recording. Further, it can take pictures and exfiltrate files and databases.
How is it delivered?
- Since 2018, BadBazaar has used at least 111 different apps, impersonating several utility apps across wide categories, including dictionaries, religious practice companions, battery optimizers, and video players. Recently, it is being distributed as social media applications.
- So far, there is no evidence that these apps ever reached Google Play (although some attempts were made). Therefore, these apps are likely distributed via third-party app stores or malicious websites.
- In one case, an iOS app was found on the Apple App Store that didn't have any spyware functionality. It communicated with the malicious C2 only to share the device's UDID.
The Moonshine campaign
The other campaign employs updated variants of Moonshine spyware, a well-built and full-featured surveillance tool, using 50 apps.
- Since July, these apps have been promoted on Uyghur-speaking Telegram channels. The apps are distributing this malware, with new modules for updated surveillance capabilities.
- Moonshine steals data related to network activity, IP address, and hardware information from compromised devices.
- Further, the malware contains C2 commands for call and microphone recording, contact data collection, device location, camera control, and collecting WeChat data from the backend wcdb database files.
Attribution
An analysis of both campaigns suggested these are part of China’s long-running attacks against Uyghur population.
- The exposed admin panels and the GPS coordinates of test devices in the C2 infrastructure of BadBazaar point toward connections to the Chinese defense contractor Xi'an Tian He Defense Technology.
- Moreover, the researchers identified that BadBazaar is sharing infrastructure with the DoubleAgent family, and both are possibly operated by the same actor.
Conclusion
Despite growing international pressure, Chinese cybercriminals operating on behalf of the Chinese state continue to launch surveillance campaigns targeting Uyghur and Muslim communities in the country. Users need to be wary of any apps distributed through social media and avoid downloading apps from third-party app stores.
Publisher
/https://cyware-ent.s3.amazonaws.com/image_bank/df6e_shutterstock_1090003628.jpg)
/https://cyware-ent.s3.amazonaws.com/image_bank/0b76_shutterstock_2153555469.jpg)
