This campaign highlights the difficulty of attribution in relation to threat campaigns. While the BadBazaar malware was previously tied to a campaign taking place in the Middle East in 2017, it was later tied to APT15 in 2020, and now Xi’an Tian He Defense Technology in 2022. This is likely due to this specific tool being sold as a service rather than one of the groups developing this malware themselves, which is becoming more and more commonplace to see.
Additionally, while the recent threat campaign involving the new “Moonshine” variant could not be confirmed as tied to any specific group, the behavior matches the recent campaign seen from Xi’an Tian He Defense Technology, suggesting that it may be related. Moreover, as this company is targeting similar groups as APT15 has historically targeted using the same malware as previously seen, these two actors may be related, although this cannot be confirmed for certain.
As this is Android malware, there is not much that can be done to prevent activity such as this from an enterprise standpoint in terms of detection. It is best to limit BYOD device policies in the workplace, provide user education into campaigns such as this, and have strong password and authentication policies to prevent suspicious logons.
https://www.bleepingcomputer.com/news/security/new-badbazaar-android-malware-linked-to-chinese-cyberspies/
