From Watering Hole to Spyware: EvilBamboo Targets Tibetans, Uyghurs, and Taiwanese

Tibetan, Uyghur, and Taiwanese individuals and organizations are the targets of a persistent campaign orchestrated by a threat actor codenamed EvilBamboo to gather sensitive information.

“The attacker has created fake Tibetan websites, along with social media profiles, likely used to deploy browser-based exploits against targeted users,” Volexity security researchers Callum Roxan, Paul Rascagneres, and Thomas Lancaster said in a report published last week.

“Partly through impersonating existing popular communities, the attacker has built communities on online platforms, such as Telegram, to aid in distribution of their malware.”

EvilBamboo, formerly tracked by the cybersecurity firm under the name Evil Eye, has been linked to multiple attack waves since at least 2019, with the threat actor leveraging watering hole attacks to deliver spyware targeting Android and iOS devices. It’s also known as Earth Empusa and POISON CARP.

The intrusions directed against the Apple mobile operating system leveraged a then-zero-day vulnerability in the WebKit browser engine that was patched by Apple in early 2019 to deliver a spyware strain called Insomnia. Meta, in March 2021, said it detected the threat actor abusing its platforms to distribute malicious websites hosting the malware.

The group is also known to use Android malware such as ActionSpy and PluginPhantom to harvest valuable data from compromised devices under the guise of dictionary, keyboard, and prayer apps made available on third-party app stores.

The latest findings from Volexity attribute to EvilBamboo three new Android espionage tools, namely BADBAZAAR, BADSIGNAL, and BADSOLAR, the first of which was documented by Lookout in November 2022.

A subsequent report from ESET last month detailed two trojanized apps masquerading as Signal and Telegram on the Google Play Store to entice users into installing BADSIGNAL. While the Slovak cybersecurity firm assigned the counterfeit apps to the BADBAZAAR family, citing code similarities, Volexity said, “they also appear to be divergent in their development and functionality.”

Attack chains used to distribute the malware families entail the use of APK sharing forums, fake websites advertising Signal, Telegram, and WhatsApp, Telegram channels devoted to sharing Android apps, and a set of bogus profiles on Facebook, Instagram, Reddit, X (formerly Twitter), and YouTube.

“The Telegram variants implement the same API endpoints as the Signal variants to gather information from the device and they implement a proxy,” the researchers said, adding it identified endpoints indicating the existence of an iOS version of BADSIGNAL.

One of the Telegram channels is also said to have contained a link to an iOS application named TibetOne that’s no longer available in the Apple App Store.

Messages shared via the Telegram groups have also been used to distribute applications backdoored with the BADSOLAR malware as well as booby-trapped links that, when visited, run malicious JavaScript to profile and fingerprint the system.

While BADBAZAAR is mainly used to target Uyghur and other individuals of the Muslim faith, BADSOLAR appears to be used primarily with apps that are Tibetan-themed. However, both strains incorporate their malicious capabilities in the form of a second stage that’s retrieved from a remote server.

BADSOLAR’s second-stage malware is also a fork of an open-source Android remote access trojan called AndroRAT. BADSIGNAL, in contrast, packs all of its information-gathering functions in the main package itself.

“These campaigns largely rely on users installing backdoored apps, which highlights both the importance of only installing apps from trusted authors and the lack of effective security mechanisms to stop backdoored apps making their way on to official app stores,” the researchers said.

“EvilBamboo’s creation of fake websites, and the personas tailored to the specific groups they target, has been a key aspect of their operations, enabling them to build trusted communities that provide further avenues to target individuals with their spyware or for other exploitation.”