Monday, October 7, 2024
HomeAndroidEvilBamboo Attacking Android & iOS Devices With Custom Malware

EvilBamboo Attacking Android & iOS Devices With Custom Malware

Published on

EvilBamboo, formerly known as “Evil Eye,” has been found to target Tibetan, Uyghur, and Taiwanese organizations and individuals. This threat actor was mentioned as conducting custom Android malware campaigns in September 2019.

In April 2020, EvilBamboo was discovered to be attacking iOS devices with a Safari exploit for infecting custom iOS malware to Uyghur users. However, recent reports suggest that this threat actor has been targeting Android users with fake websites and fake social media profiles that impersonate existing popular communities.

Document
FREE Demo

Deploy Advanced AI-Powered Email Security Solution

Implementing AI-Powered Email security solutions “Trustifi” can secure your business from today’s most dangerous email threats, such as Email Tracking, Blocking, Modifying, Phishing, Account Take Over, Business Email Compromise, Malware & Ransomware

- Advertisement - EHA

A Tale of Three BAD Brothers

Further analysis revealed that EvilBamboo has been using at least three malware families: BADBAZAAR, BADSIGNAL, and BADSOLAR. All of this malware has a backdoor embedded inside a legitimate application.

CapabilityBADSOLARBADBAZAARBADSIGNAL
Deployed in two stagesXX
AndroRAT function namesX
Interacts with host app to exfiltrate dataX
Real-time SMS stealingX
GetOperatorName() and DeviceInfo() functionsXXX
SSL PinningX
C2 via RAW socketXX
C2 Via HTTP Rest APIX
Shared via TelegramXX
Has dedicated websiteXX
Suspected iOS variantX
Observed targetingTibetansUyghurs, Taiwanese, Tibetans & beyondUyghurs
Distinguishing malware families and capabilities (Source: Volexity)

These applications were distributed among users with supporting Telegram groups. These groups are often themed for a specific application, but at other times, they are kept around a category of applications. 

BADBAZAAR

This malware was distributed through multiple threads on a Taiwanese APK sharing forum apk[.]tw and had over 100,000 views.

The thread also claimed to be sharing a cracked, legitimate  Whoscall Android application used for identifying spam calls and messages. The post also included a link that is updated every time the app is released with a new version of the APK.

Taiwanese thread (Source: Volexity)

BADBAZAAR is capable of storing SMS on the terminal, getting call logs, taking photos, and gathering information about the device such as IMEI, timezone, Wi-Fi details, installed apps, contact lists, and location of the device.

BADSOLAR

This malware was distributed via “Tibetanphone” Telegram group, which also shared a link to ignitetibet[.]net. The request to this URL on port 9001 with jquery.min.js loads an obfuscated profiling script coined as JMASK. 

This malware is backdoored into another legitimate Android application with a C2 address as comeflxyr[.]com used for downloading a JAR file and a second-stage implant AndroRAT. Multiple method names were used in this malware, which had different functions.

FunctionDescription
AdvancedSystemInfoGet information on the terminal, such as battery details and device temperature.
CallLogListerGet the call history with the date, duration, and name associated with the caller.
ContactsListerGets contact information.
DeviceInfoGet device information, such as the MAC, operator, vendor, model, IMEI, IMSI, time zone, etc.
DirListerList the files on the device.
FileDownloaderUpload a file to the C2 server.
GetDeviceInfosGet the IMEI, SIM serial number, and phone number of the device.
GPSListenerGet the location.
PhotoTakerTake a picture.
SMSListerGet stored SMS messages.
UDPThreadCommunicate with UDP (port 137).
WifiUtilsGet the Wi-Fi details, such as the IP, SSID, BSSID, MAC, and DNS servers. The malware is also able to list the APR table by using ip neigh show.
SystemInfoExecute most of the functions listed in this table.
Different functions inside the malware (Source: Volexity)

BADSIGNAL

This is a backdoored version of the legitimate Signal app, which was distributed using the www.signalplus[.]org, www.flygram[.]org, and www.groupgram[.]org websites. This malware had two variants: the Telegram variant and the Signal variant. 

Signal One website (Source: Volexity)

On investigation further, several API endpoints configured by the threat actor revealed that they had an iOS version.

This malware does not download a second-stage payload as the main APK has all the capabilities. It was also discovered that this malware uses REST API on port 4432 as part of its C2 communication.

A complete report about this malware was published by Volexity that provides detailed information about the source code, distribution, and other information. 

Managed endpoint solutions enable organizations to scan for threats manage, resolve, and prevent data breaches. Try for Free Today!

Eswar
Eswar
Eswar is a Cyber security content editor with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news.

Latest articles

Hybrid Analysis Utilizes Criminal IP’s Robust Domain Data for Better Malware Detection

Criminal IP, a renowned Cyber Threat Intelligence (CTI) search engine developed by AI SPERA,...

RCE Vulnerability (CVE-2024-30052) Allow Attackers To Exploit Visual Studio via Dump Files

The researcher investigated the potential security risks associated with debugging dump files in Visual...

Cacti Network Monitoring Tool Vulnerability Let Attackers Execute Remote Code

A critical security vulnerability has been identified in the Cacti network monitoring tool that...

Microsoft & DOJ Dismantles Hundreds of Websites Used by Russian Hackers

Microsoft and the U.S. Department of Justice (DOJ) have disrupted the operations of Star...

Free Webinar

Protect Websites & APIs from Malware Attack

Malware targeting customer-facing websites and API applications poses significant risks, including compliance violations, defacements, and even blacklisting.

Join us for an insightful webinar featuring Vivek Gopalan, VP of Products at Indusface, as he shares effective strategies for safeguarding websites and APIs against malware.

Discussion points

Scan DOM, internal links, and JavaScript libraries for hidden malware.
Detect website defacements in real time.
Protect your brand by monitoring for potential blacklisting.
Prevent malware from infiltrating your server and cloud infrastructure.

More like this

Hybrid Analysis Utilizes Criminal IP’s Robust Domain Data for Better Malware Detection

Criminal IP, a renowned Cyber Threat Intelligence (CTI) search engine developed by AI SPERA,...

RCE Vulnerability (CVE-2024-30052) Allow Attackers To Exploit Visual Studio via Dump Files

The researcher investigated the potential security risks associated with debugging dump files in Visual...

Cacti Network Monitoring Tool Vulnerability Let Attackers Execute Remote Code

A critical security vulnerability has been identified in the Cacti network monitoring tool that...