Fixxx
Moderator
- Joined
- Aug 21, 2024
- Messages
- 543
- Reaction score
- 2,358
- Points
- 93
The UK National Cyber Security Centre (NCSC) has published a joint technical summary with the Five Eyes alliance, detailing a new active espionage campaign. The attack is attributed to the Chinese APT group GREF, and its tools target users on both Android and iOS platforms. The primary targets of these attacks are ethnic and religious minorities, including Tibetans and Uighurs, as well as activists, journalists, and members of the diaspora. The main mechanism for spreading the malware involves malicious copies of popular messaging apps. Fake applications, such as "Signal Plus Messenger" and "Telegram from Plus," are essentially modified versions of the original open-source code, into which the attackers have embedded covert surveillance features. Once installed, these programs can transmit user data, including geolocation, call logs, contact lists, and even intercept messages.
Infection of Android devices occurs through APK files hosted on third-party app stores and phishing links. The BADBAZAAR backdoor is activated immediately upon launch and connects to a command server, sending collected data to it. Additionally, the malware can update its behavior based on configurations received from the C2 server, complicating detection efforts. For Apple devices, a different method is employed. The MOONSHINE tool is introduced via web links leading to specially crafted sites with exploits tailored for specific iOS versions. The campaign demonstrates a high level of sophistication, as the attackers meticulously disguise their resources as legitimate services and exploit vulnerabilities in Safari to gain control over the device.
Victims are often individuals who have already been subjected to state surveillance, indicating that the campaign is targeted against specific groups. Experts note that the malware itself was observed as early as 2020-2022, but there is currently a resurgence with updated functionality and adaptations for modern systems. Five Eyes specialists warn that such attacks may extend beyond current geopolitical interests and could be used for more extensive espionage. There is particular concern about the potential for real-time message interception, especially when using apps with mirroring features on other devices. The report includes recommendations for mitigating risks: users are advised to download applications only from official stores, avoid third-party APKs, and regularly update their security systems.