



New Android malware targets Uyghurs.

Phishing threat actor Fangxiao.

Billbug compromises Asian government agencies. New Android malware targets Uyghurs. Researchers at Lookout describe two spying campaigns targeting the predominantly Muslim Uyghur community in China and around the world. Campaigns have also targeted some Muslim-majority countries, including Afghanistan and Turkey. One of the surveillance campaigns involves a new strain of Android malware dubbed “BadBazaar”. The other campaign uses the MOONSHINE malware, which has previously been used to target Tibetan activists: “BadBazaar and these new variants of MOONSHINE add to the already extensive collection of unique surveillance software used in campaigns to monitor and subsequently detain individuals in China. Their continued development and prevalence on Uyghur-language social media platforms indicate that these campaigns are ongoing and that the threat actors have successfully infiltrated online Uyghur communities to distribute their malware.” Phishing threat actor Fangxiao. Cyjax researchers are followed “a large-scale, sophisticated phishing campaign that leverages the reputation of trusted international brands” to target “companies across multiple verticals, including retail, banking, travel and energy.” Researchers have named the financially motivated threat actor behind this campaign “Fangxiao”, assessing with great confidence that the gang is based in China. Fangxiao distributes phishing links via WhatsApp messages. Phishing links lead to a wide variety of destinations, including scam sites that offer fake gift cards or trick the victim into downloading malware. Phishing links also redirect the user to several advertising sites which generates more revenue for the threat actor. “[W]We identified activity dating back to 2017 on more than 42,000 domains, allowing us to observe its development,” the researchers write. recruitment campaigns for disadvantaged countries. Fangxiao uses various strategies to remain anonymous: for example, most of their infrastructure is protected by CloudFlare, and they change domain names quickly. In a single day in October 2022, the group used over 300 unique new domains.” Billbug compromises Asian government agencies. Symantec has found that a Chinese state-sponsored threat actor has compromised a digital certificate authority in an unnamed Asian country. The threat actor has also compromised government and defense agencies in several Asian countries, with espionage as a likely goal. The threat actor, which Symantec (a unit of Broadcom) tracks as Billbug (also known as Lotus Blossom or Thrip), likely targeted the CA in order to sign its malicious files, although it is unclear whether Billbug was able to steal certificates. : Targeting a CA is remarkable because if attackers were able to successfully compromise it to gain access to certificates, they could potentially use them to sign malware with a valid certificate and help it avoid detection on victim machines. . It could also use compromised certificates to intercept HTTPS traffic. However, while this is a possible motivation for targeting a CA, Symantec has not seen any evidence to suggest that they were successful in compromising digital certificates. Symantec has notified the CA in question to inform them of this activity.

