Keypoints
- BadBazaar is attributed to Chinese-backed APT15 and exists in both Android (full-featured) and iOS (limited) variants.
- The iOS sample (TibetOne) acts as a web-wrapper for tibetone[.]org, requests location and add‑only photo permissions, and POSTS device data to tryhrwserf[.]com:4432 endpoints.
- Android BadBazaar downloads payloads (update.jar) from C2 servers (often port 20121) and collects extensive data: location, call logs, contacts, SMS, installed apps, files (.docx/.pdf/.pptx), Wi‑Fi info, and can record calls/take photos.
- MOONSHINE is a separate surveillance family that uses native library replacement and websocket C2 to load modular payloads (scotch.jar, bourbon.jar, etc.) and exfiltrate broad device data.
- Both families use SSL pinning (certificates embedded in resources), ASP.NET/Windows hosting, unusual C2 ports (e.g., 4432/4332 for API and 56931 for RDP), and shared infrastructure linking multiple campaigns.
- Distribution channels included trojanized apps, submissions to official app stores (some removed), and promotion via Telegram channels to reach Uyghur and other Muslim communities.
MITRE Techniques
- [T1071.001] Web Protocols – Used for command-and-control and API calls: ‘The collected data is sent to https://tryhrwserf[.]com:4432/api/iosvalues with an HTTP POST request.’
- [T1041] Exfiltration Over C2 Channel – Device information and location are transmitted to attacker-controlled endpoints: ‘BadBazaar iOS exfiltrates basic device information from the victim device.’
- [T1105] Ingress Tool Transfer – Malware downloads payloads/updates from C2 into the app cache: ‘BadBazaar payload is read from the server into a file named “update.jar”.’
- [T1204.002] User Execution: Malicious Link – Social distribution and app-store delivery used to entice installations: ‘TibetOne related promotional messages were published to a Tibetan Telegram channel named “tibetanphone”.’
Indicators of Compromise
- [Domain] C2 and delivery – tryhrwserf[.]com, tibetone[.]org (TibetOne web wrapper), signalplus[.]org (Android C2), and flygram[.]org.
- [IP address] C2 hosting – 148[.]251[.]87[.]197 (tryhrwserf[.]com resolved to this address at time of analysis).
- [Certificate SHA1] Embedded SSL certs – WIN-I6VBN8MR92A.cer (SHA1 FP: 55191348eb763dc853a719c0f3defdbe354127db), recent SSL thumbprint 87a3d3f9bb6c78a5e71cfdf9975ca6a083dd5ebc.
- [File hashes] APK SHA1 samples – example: 8afe90ebb4666565891fcc33e12fad410996d4d1, ac235440a738938c2218e2608ea229dd3584701b, and dozens more hashes (and many additional APK SHA1s listed in the report).
BadBazaar and related tooling (including MOONSHINE) operate through a combination of trojanized apps, web-wrappers, and C2-driven updates. The Android variants download payloads (commonly saved as update.jar) from C2 servers (noted use of port 20121) and load them to gain extensive surveillance capabilities (location, installed packages, call/SMS logs, contacts, files with .doc/.pdf/.pptx extensions, camera/call recording, and targeted folders such as messaging app data). The iOS TibetOne sample behaves primarily as a web‑view client for tibetone[.]org, requests location and add‑only photo permissions, uses OpenWeatherMap with a hardcoded API key to obtain location-linked weather, and sends collected device attributes (device name/type, local IP, OS version, UDID, latitude/longitude) via HTTP POST to tryhrwserf[.]com:4432/api/iosvalues and /api/ioslogin. Both families implement SSL pinning with embedded certificate files to validate C2, and C2 backends are hosted on Windows/ASP.NET with multiple open ports (API on 4432/4332, RDP on ports like 56931), frequently sharing IPs and registrar metadata across samples.
MOONSHINE’s app-based variants load a native library (libout.so or libbourbon.so) which decrypts and extracts a secondary Java payload (scotch.jar) into a directory (app_sikhywis_ca55200e) and establishes websocket connections to encrypted C2. Its configuration is stored in SharedPreferences XML (e.g., 8B14B755-C161-4804-A62B-8776315E07CD.xml), Base64/AES-decrypted and GZIP-uncompressed to yield JSON with module lists and C2 details; subsequent modules (bourbon.jar, icecube.jar, cpcom.jar, salt.jar) are retrieved and executed. The client computes a unique whisky_id and a “score” (device vulnerability based on granted permissions) that the operator can use to decide which surveillance modules to enable, and communications are further obfuscated/encrypted before transmission.
For detection and response, monitor HTTP POSTs and websocket connections to the listed domains and IPs, watch for downloads/writes of update.jar-like payloads in app cache directories, embedded certificate files inside APK resources (matching the reported SHA1s), unusual ports (4332/4432/20121/5556/56931), and SharedPreferences XML entries with encrypted configuration blobs. Investigate installs of suspicious Uyghur/Tibetan‑themed apps (e.g., TibetOne, Uyghur Lughat), Telegram channels promoting such apps, and trojanized versions of popular messaging or cultural apps that request location, photo, or broad permissions.
Read more: https://www.lookout.com/threat-intelligence/article/badbazaar-surveillanceware-apt15