At a glance.
- New Android malware targets Uyghurs.
- Fangxiao phishing threat actor.
- Billbug compromises Asian government agencies.
New Android malware targets Uyghurs.
Researchers at Lookout describe two espionage campaigns targeting the primarily Muslim Uyghur community in China and around the world. The campaigns have also targeted some Muslim-majority countries, including Afghanistan and Turkey. One of the surveillance campaigns involves a new strain of Android malware dubbed "BadBazaar." The other campaign uses the MOONSHINE malware, which has previously been used to target Tibetan activists:
"BadBazaar and these new variants of MOONSHINE add to the already extensive collection of unique surveillanceware used in campaigns to surveil and subsequently detain individuals in China. Their continued development and their prevalence on Uyghur-language social media platforms indicate these campaigns are ongoing and that the threat actors have successfully infiltrated online Uyghur communities to distribute their malware."
Fangxiao phishing threat actor.
Researchers at Cyjax are tracking "a sophisticated, large-scale phishing campaign that exploits the reputation of international, trusted brands" to target "businesses in multiple verticals including retail, banking, travel, and energy." The researchers have named the financially motivated threat actor behind this campaign "Fangxiao," assessing with high confidence that the gang is based in China.
Fangxiao distributes phishing links via WhatsApp messages. The phishing links lead to a wide variety of destinations, including scam sites that offer phony gift cards or entice the victim into downloading malware. The phishing links also redirect the user through several advertising sites, which further generates revenue for the threat actor.
"[W]e have identified activity dating back to 2017 over more than 42,000 domains, allowing us to observe its development," the researchers write. "Fangxiao has also exploited anxieties about world events, with some of their sites impersonating COVID-19 relief funds or posting as recruitment campaigns for deprived countries. Fangxiao uses various strategies to stay anonymous: for example, most of their infrastructure is protected behind CloudFlare, and they rapidly change domain names. On one day in October 2022 alone, the group used over 300 new unique domains."
Added, 9:15 PM, November 18th, 2022.
SafeGuard Cyber Vice President of Worldwide Solution Engineers Steven Spadaccini commented on the way the Fangxiao case indicates that threat actors are no longer as confined as they might once have been to traditional communication channels:
“This attack highlights how attackers have now moved away from traditional communication channels and will target messaging apps as users do not have adequate protection and visibility. We have observed several different channels, both social and corporate, that have C2 and ransomware types of attacks that have gone undetected globally. Phishing over Telegram and Whatsapp seems to be the most ‘active’ of all the platforms. The ultimate goal of the attackers is to infect the device with malware and steal data and credentials possibly to be used for account takeover. This is a massive campaign with the threat actors going to significant lengths to impersonate many businesses around the world – while the fake domains are significant, the focus should be on the number of users that are being targeted.”
Billbug compromises Asian government agencies.
Symantec has found that a Chinese state-sponsored threat actor compromised a digital certificate authority in an unnamed Asian country. The threat actor also compromised government and defense agencies in several Asian countries, with espionage as its likely goal.
The threat actor, which Symantec (a unit of Broadcom) tracks as “Billbug” (also known as Lotus Blossom or Thrip), likely targeted the certificate authority in order to sign its malware files, although it’s not clear if Billbug was able to steal any certificates:
“The targeting of a certificate authority is notable, as if the attackers were able to successfully compromise it to access certificates they could potentially use them to sign malware with a valid certificate, and help it avoid detection on victim machines. It could also potentially use compromised certificates to intercept HTTPS traffic. However, although this is a possible motivation for targeting a certificate authority, Symantec has seen no evidence to suggest they were successful in compromising digital certificates. Symantec has notified the cert authority in question to inform them of this activity.”