Rewterz Threat Update – EvilBamboo Spyware Targets Tibetans, Taiwanese, and Uyghurs

Severity

High

Analysis Summary

EvilBamboo, a threat actor codenamed, has been orchestrating a persistent campaign to gather sensitive information, targeting individuals and organizations from Tibet, Uyghur, and Taiwan.

“The attacker has created fake Tibetan websites, along with social media profiles, likely used to deploy browser-based exploits against targeted users,” said the security researchers. “Partly through impersonating existing popular communities, the attacker has built communities on online platforms, such as Telegram, to aid in distribution of their malware.”

EvilBamboo (aka Evil Eye, Earth Empusa and POISON CARP) has been involved in multiple cyberattacks since 2019, mainly using water hole attacks to spread spyware on Android and iOS devices. The group has been involved in exploiting a zero-day flaw in Apple WebKit to deliver a spyware called Insomnia, as well as spreading Android malware like PluginPhantom and ActionSpy.

The latest linked malwares to EvilBamboo are three new Android espionage tools called BADBAZAAR, BADSOLAR, and BADSIGNAL. These malwares are distributed using attack chains that utilize APK sharing forums, fake profiles on social media, bogus websites, and Telegram channels that share Android apps.

The researchers added further, “The Telegram variants implement the same API endpoints as the Signal variants to gather information from the device and they implement a proxy.”

One of the Telegram channels has a link to an iOS application called TibetOne but it is not available on Apple App Store anymore. These Telegram groups have been used to distribute apps containing the backdoor of the BADSOLAR malware and malicious links that run JavaScript to fingerprint the system.

BADBAZAAR, on the other hand, is mainly used to target Uyghur and other Muslim individuals. Meanwhile, BADSOLAR is primarily targeting Tibetans. Both strains have their malicious capabilities in the form of a second stage received from a remote server. BADSOLAR uses an open-source Android remote access trojan called AndroRAT, while BADSIGNAL has all of its information stealing capabilities within the main package.

The main aspect of EvilBamboo’s operations is creating fake websites tailored to the specific groups they target. The campaign relies a lot on the victims installing backdoored apps, that’s why it is always recommended to install apps only from the trusted sources and official websites. 

Impact

• Espionage
• Sensitive Information Theft

Remediation

• Regularly update mobile operating systems (iOS and Android) to the latest versions to patch known vulnerabilities.
• Only download apps from official app stores (Google Play Store and Apple App Store) and avoid third-party app sources.
• Review the permissions an app requests during installation. If an app asks for excessive permissions that are unrelated to its functionality, consider it a red flag.
• Never trust or open links and attachments received from unknown sources/senders.
• Encourage individuals to report any suspicious activities, emails, or messages to relevant authorities, organizations, or cybersecurity experts.
• Verify the authenticity of websites, social media profiles, and apps before providing personal information or engaging with them.
• Implement strong, multi-factor authentication (MFA) for email accounts, social media profiles, and other sensitive online services.
• Keep all software and operating systems up to date with the latest security patches to minimize vulnerabilities.
• Employ robust network security measures, including firewalls and intrusion detection systems, to detect and block malicious network traffic.
• Develop and maintain an incident response plan that outlines steps to take in case of a security breach. Ensure that individuals and organizations know how to respond effectively.
• Maintain cyber hygiene by updating your anti-virus software and implementing a patch management lifecycle..
• Keep your device’s operating system and apps up-to-date.
• Refrain from downloading apps from unofficial sources or third-party app stores. These sources are less regulated and more prone to hosting malicious apps.
• Enable strong authentication methods, such as two-factor authentication (2FA), for your accounts whenever possible.
• Patch and upgrade any platforms and software timely and make it into a standard security policy. Prioritize patching known exploited vulnerabilities and zero-days.
• Enable antivirus and anti-malware software and update signature definitions in a timely manner. Using a multi-layered protection is necessary to secure vulnerable assets.