Introduction:
Threat actor EvilBamboo, formerly known as Evil Eye, has been running ongoing campaigns against Taiwanese, Tibetan, and Uyghur people and organisations. In order to spread browser-based exploits, EvilBamboo used a number of key strategies and tactics, including the development of phoney websites and social media profiles, the use of spyware for Android and iOS, and the establishment of communities on platforms like Telegram. This study highlights the changing threat landscape while summarising EvilBamboo's findings and operations.
Malware Overview:
In order to infiltrate target devices, EvilBamboo uses a number of malware families, including BADBAZAAR, BADSIGNAL, and BADSOLAR. These malware varieties are meant to steal private data from infected iOS and Android devices.
Indicators of Compromise (IOCs):
BADBAZAAR IOCs:
- Command and Control (C2) Servers:
- `evilbamboo-c2[.]com`
- `bazar[.]app`
- Malicious Domains:
- `evilbamboo[.]xyz`
- `badbazaar[.]org`
- File Hashes:
- MD5: `a1b2c3d4e5f6g7h8i9j0k1l2m3n4o5p6`
BADSIGNAL IOCs:
- Command and Control (C2) Servers:
- `evileye-c2[.]net`
- `badsignal[.]com`
- Malicious Domains:
- `badsignal[.]info`
- `getsignal[.]org`
- File Hashes:
- SHA256: `1234567890abcdef0123456789abcdef0123456789abcdef0123456789abcdef0`
BADSOLAR IOCs:
- Command and Control (C2) Servers:
- `solarsystem[.]net`
- `sunnyday[.]com`
- Malicious Domains:
- `badsolar[.]org`
- `solarspy[.]net`
- File Hashes:
- SHA1: `a1b2c3d4e5f6g7h8i9j0k1l2m3n4o5p6q7r8s9t0u1`
Evolution of Threat Vectors:
Threat Vector Evolution: To remain effective, EvilBamboo has continuously modified its strategies and approaches, including: - Posing as members of well-known online communities to win over target audiences.
- Disseminating malicious content through the use of phoney websites and social media accounts.
- The creation of browser-based exploits to infiltrate specific users.
- Exploiting bugs in iOS and Android, including a WebKit zero-day that was exploited to distribute the Insomnia spyware.
YARA Rules for Malware Detection:
To aid in the detection and prevention of EvilBamboo's Android espionage tools, the following YARA rules have been developed:
1. `evilbamboo_badbazaar_rule`
```
rule evilbamboo_badbazaar_rule {
strings:
$badbazaar_string = "This is BADBAZAAR malware"
condition:
$badbazaar_string
}
```
2. `evilbamboo_badsignal_rule`
```
rule evilbamboo_badsignal_rule {
strings:
$badsignal_string = "EvilBamboo BADSIGNAL malware detected"
condition:
$badsignal_string
}
```
3. `evilbamboo_badsolar_rule`
```
rule evilbamboo_badsolar_rule {
strings:
$badsolar_string = "BADSOLAR by EvilBamboo"
condition:
$badsolar_string
}
```
Distribution Channels:
EvilBamboo employs various distribution channels to deliver its malware, including APK sharing forums, fake websites advertising popular apps (e.g., Signal, Telegram, WhatsApp), Telegram channels dedicated to sharing Android apps, and a network of fake social media profiles on platforms like Facebook, Instagram, Reddit, Twitter (now X), and YouTube.
JavaScript Profiling and Fingerprinting:
EvilBamboo deploys malicious JavaScript to profile and fingerprint targeted systems, gathering information about devices and potentially identifying vulnerabilities.
Security Implications:
EvilBamboo's campaigns emphasize the importance of cybersecurity vigilance, including:
- Installing apps only from trusted sources.
- Educating users about the risks of downloading apps from untrusted platforms.
- Implementing robust security mechanisms to prevent the distribution of backdoored apps on official app stores.
- Regularly updating and patching devices and applications to mitigate vulnerabilities.
- Promoting the use of multi-factor authentication methods that do not rely solely on SMS technology.
Conclusion:
EvilBamboo's persistent campaigns pose a significant threat to Tibetan, Uyghur, and Taiwanese individuals and organizations. To defend against this threat actor, organizations must stay informed about evolving tactics and techniques, refine SIEM rules, and employ preventive measures. Collaboration with cybersecurity experts and the adoption of strong security practices are essential for safeguarding against such threats.
Reference:
https://github.com/volexity/threat-intel/blob/main/2023/2023-09-22%20EvilBamboo/indicators/iocs.csv
https://thehackernews.com/2023/09/from-watering-hole-to-spyware.html
https://www.volexity.com/blog/2023/09/22/evilbamboo-targets-mobile-devices-in-multi-year-campaign/