Full Report
In a joint advisory with Western allies, the National Cyber Security Centre sounded the alarm about variants of BADBAZAAR and MOONSHINE. The post BadBazaar and Moonshine malware targets Taiwanese, Tibetan and Uyghur groups, U.K. warns appeared first on CyberScoop.
Analysis Summary
# Threat Actor: BADBAZAAR and MOONSHINE Operators (Attributed to Chinese Government)
## Attribution & Identity
**Attribution:** Cybersecurity researchers and a joint advisory from Western allies (including the UK's NCSC, FBI, NSA, and agencies from Australia, Canada, Germany, and New Zealand) link this spyware activity to the Chinese government.
**Known Aliases and Associated Groups:** The malware utilized is BADBAZAAR and MOONSHINE.
## Activity Summary
The operators are actively utilizing variants of BADBAZAAR and MOONSHINE to target various political and ethnic groups. The NCSC issued a joint alert concerning these two spyware variants. The activity involves trojanizing legitimate-looking applications relevant to the target communities, often appearing in official app stores.
## Tactics, Techniques & Procedures
- **Infection Mechanism:** Spreading malware by trojanizing legitimate apps of interest to the target communities (e.g., a Uyghur language Quran app).
- **Distribution:** Malware has been observed in official app stores and through social media platforms.
- **MOONSHINE Distribution:** Specifically noted to be shared via Telegram channels and links sent via WhatsApp.
- **Evasion:** MOONSHINE samples request permissions relevant to the app's functionality, potentially appearing unsuspicious, but use these permissions for covert data collection.
- **Data Exfiltration/Capabilities:** The tools are capable of accessing and downloading information like location data, messages, photos, and can access device microphones and cameras.
- **Historical Activity:** MOONSHINE has been active since at least 2019 (identified targeting Tibetan groups via malicious links in WhatsApp exchanges). BADBAZAAR has drawn attention since at least 2022.
## Targeting
- **Sectors/Groups:** Groups focused on Taiwanese independence, Tibetan rights, Uyghur Muslims, democracy advocacy, and Falun Gong.
- **Geography:** Targeting individuals/groups associated with Taiwan, Tibet, and the Uyghur population.
- **Victims:** Specific organizations are not named, but the victims are defined by their association with these specific political or ethnic communities.
## Tools & Infrastructure
- **Malware Families Used:**
- BADBAZAAR (Mobile malware with iOS and Android variants)
- MOONSHINE (Android-only spyware)
- **Infrastructure/Distribution (Observed):** Telegram channels, WhatsApp messaging (for links), and official app stores.
## Implications
This activity represents targeted cyber espionage aimed at surveilling individuals politically opposed to or identified by the Chinese state. The use of seemingly legitimate apps within app stores and communication channels (like WhatsApp) indicates sophisticated infection vectors designed to bypass common security awareness for these specific at-risk communities. The data collected is explicitly stated to be of value to the Chinese state.
## Mitigations
- **Source Verification:** Exercise extreme caution when installing apps, even from official sources, if they are related to sensitive political activism or community topics.
- **Communication Security:** Be wary of unsolicited links or attachments received via messaging apps like WhatsApp, particularly if originating from unexpected contacts or posing as journalists/known figures.
- **Mobile Security:** Implement strong Mobile Device Management (MDM) or endpoint security solutions capable of monitoring for suspicious permission usage or unauthorized hardware access (mic/camera).
- **General Security Awareness:** Targeted users should be aware that their communications and location data are likely being targeted for collection.