Long-Term Surveillance Campaign Targeting Uyghurs Using BadBazaar and Moonshine Spyware Security Matters

Lookout researchers uncovered two long-term surveillance campaigns targeting the Uyghur minority.

Researchers at mobile security firm Lookout have uncovered two ongoing surveillance campaigns targeting the Uyghur minority. Threat actors behind these campaigns use two Android spyware to spy on victims and steal sensitive information.

The campaigns involved a new malware called BadBazaar and a new variant of the MOONSHINE surveillance software that Citizen Lab discovered in 2019 and used to attack Tibetan activists.

The investigation into BadBazaar activity began in late 2021, based on reports from @MalwareHunterTeam Citing the research team behind the malicious English-Uyghur dictionary app.

The malicious app has been linked to surveillance campaigns targeting Uyghurs and other Turkic minorities in China and abroad. Researchers attribute these activities to the China-linked APT15 cyber-espionage group (aka Nickel, Ke3chang, Mirage, Vixen Panda, Royal APT and Playful Dragon).

APT15, which has been active since at least 2010, has conducted cyberespionage against targets in multiple industries around the world, including defense, high-tech, energy, government, aerospace, and manufacturing. Over the years, attackers have demonstrated increasing levels of sophistication, using custom malware and various exploits in their attacks.

During the BadBazaar campaign, which dates back to late 2018, researchers obtained 111 unique apps masquerading as innocuous apps, such as radio apps, messaging apps, dictionaries, religious apps, and even TikTok.

“Overlapping infrastructure and TTPs suggest that these campaigns are related to APT15, a Chinese-backed hacking group also known as VIXEN PANDA and NICKEL. We named this malware family BadBazaar in response to a new malware family called “APK Bazar “An early variant of a third-party app store. Bazar is a lesser-known spelling of Bazaar.” Read the report published by Lookout.

“Lookout has obtained 111 unique samples of BadBazaar surveillance software since the end of 2018. In the second half of 2022, more than 70% of these applications were found in Uyghur-language communication channels.”

Lookout researchers also discovered a benign app on the Apple App Store that communicates with the same C2 infrastructure used by the Android BadBazaar variant. The iOS application collects basic iPhone device information and it has the same name “Uyghur Lughat” and icon.

The discovery of the iOS app suggests that the threat actors may be planning to update their malware to develop an iOS version that includes surveillance capabilities.

Android spyware is capable of collecting a wide range of information, including:

  • location (latitude and longitude)
  • List of installed packages
  • Call logs and geocoded locations associated with calls
  • contact information
  • Android apps installed
  • SMS message
  • Extensive device information including model, language, IMEI, IMSI, ICCID (SIM serial number), phone number, time zone and centralized registration of user online accounts
  • Wi-Fi info (connected or not, if connected, IP, SSID, BSSID, MAC, netmask, gateway, DNS1, DNS2)
  • Call Recording
  • Photograph
  • Data and database files in the Trojanized application’s SharedPreferences directory
  • Retrieves a list of files on the device ending with .ppt, .pptx, .docx, .xls, .xlsx, .doc, or .pdf
  • Dynamically specified folders of interest from C2 servers, including images and screenshots from webcams, Telegram, Whatsapp, GBWhatsapp, TalkBox, Zello attachments, logs and chats

The researchers also discovered an ongoing campaign to spread the MOONSHINE spyware, and since July 2022 they obtained more than 50 malicious applications containing the threat. The malware is capable of stealing sensitive data, recording audio and downloading arbitrary files.

“The speed at which new samples are being deployed suggests that these campaigns are ongoing. Most of these samples are Trojanized versions of popular social media platforms, such as WhatsApp or Telegram, or Trojanized Muslim cultural apps, Uyghur tools, or prayer apps optimized version.” Continue reporting. “Our MOONSHINE samples were obtained from multiple Uyghur-language communication channels, some of which had hundreds of members.”

Experts found that all MOONSHINE samples were connected to administrator panels similar to those analyzed by Citizen Lab researchers in 2019.

The Lookout report indicates that Chinese threat actors continue to target Uyghur and Muslim mobile device users via Uyghur-language communication platforms.

“The broad distribution of BadBazaar and Moonshine and the speed at which new features are being introduced suggest that development of these series is ongoing and that there is an ongoing need for these tools.” Summary report.

Follow me on Twitter: @securityaffairs and Facebook and mastodon

Pierluigi Paganini

(security affairs Hacking, Uyghurs)

Leave a Reply

Your email address will not be published. Required fields are marked *