At a glance.
- Chinese influence operation targets the BBC.
- Triada Trojan distributed via WhatsApp mod.
- Konni RAT targets Russian organizations.
- Bahraini activists compromised by Pegasus.
Chinese influence operation targets the BBC.
Recorded Future has observed a "large-scale, likely state-sponsored influence operation" against the UK, and the BBC in particular. The campaign pushes the Chinese government's line that the BBC applies a "gloom filter" to photos of China in an attempt to portray the country as gray and dreary:
"The campaign involves hundreds of websites and social media accounts and thousands of comments across state-affiliated news sources, fake news websites, and Chinese and Western social media platforms. China’s state-affiliated media and Communist Party of China (CCP) officials have recently increased their criticism of the UK and the BBC in response to a recent BBC report revealing that Beijing’s top propaganda outlets are incentivizing foreigners, called 'stringers,' to create pro-China social media influence. To counter the BBC’s allegations, these propaganda accounts have taken to social media to criticize BBC’s journalistic integrity, accusing them of using an 'underworld filter' or 'gloom filter' (阴间滤镜) on photos and video of China to make the country look lifeless, dull, and sad to foreign audiences. The BBC adamantly denies these accusations."
"There have been over 11,000 references of the Mandarin-language term for 'gloom filter' across open sources in the past 6 months, with over half of them occurring in the last 30 days. English-language mentions of 'BBC underworld filter' have also spiked over the past several weeks, totaling over 56,300 in 6 weeks. Since the 'stringers' have started spreading Chinese propaganda, English-language references to the “gloom filter” have increased dramatically."
Triada Trojan distributed via WhatsApp mod.
Researchers at Kaspersky warn that the Triada Android Trojan is being distributed via an unofficial WhatsApp mod dubbed "FMWhatsapp 16.80.0." The researchers note that users are required to grant the malware access to their text messages, which can enable it to bypass multifactor authentication:
"It’s worth highlighting that FMWhatsapp users grant the app permission to read their SMS messages, which means that the Trojan and all the further malicious modules it loads also gain access to them. This allows attackers to automatically sign the victim up for premium subscriptions, even if a confirmation code is required to complete the process.
"We don’t recommend using unofficial modifications of apps, especially WhatsApp mods. You may well end up with an unwanted paid subscription, or even [lose] control of your account altogether, which attackers can hijack to use for their own purposes, such as spreading spam sent in your name."
Konni RAT targets Russian organizations.
Researchers at Malwarebytes describe a spearphishing campaign that's using a new variant of the Konni RAT against Russian targets. Konni is "potentially linked" to North Korea's APT37. The campaign uses Word documents with malicious macros to deliver the malware:
"We found two lures used by Konni APT. The first document 'Economic relations.doc' contains a 12 page article that seems to have been published in 2010 with the title: 'The regional economic contacts of Far East Russia with Korean States (2010s).' The second document is the outline of a meeting happening in Russia in 2021: '23th meeting of the intergovernmental Russian-Mongolian commission on Trade, Economic, scientific and technical operation.'"
Bahraini activists compromised by Pegasus.
Researchers at the University of Toronto's Citizen Lab say that nine Bahraini activists had their iPhones compromised by NSO Group's Pegasus spyware. The researchers say four of the victims were hacked by "a Pegasus operator that we attribute with high confidence to the government of Bahrain." They also observe, "Two of the hacked activists now reside in London, and at least one was in London when they were hacked. In our research, we have only ever seen the Bahrain government spying in Bahrain and Qatar; never in Europe. Thus, the Bahraini activist in London may have been hacked by a Pegasus operator associated with a different government."