Meta’s parent company Facebook revealed that it had taken action against two South Asian espionage operations that had leveraged its social media platforms to distribute malware to potential targets.
The first set of operations is described by the company as “persistent and well-resourced” and is carried out by a hacking group that is tracked under the moniker Bitter APT (aka APT-C-08 or T-APT- 17) targeted individuals in New Zealand, IndiaPakistan and United Kingdom
“Bitter used a variety of malicious tactics to target people online with social engineering and infect their devices with malware,” Meta said in its Daily Competitor Threat Report. your precious. “They used a combination of link shortening services, malicious domains, compromised websites, and third-party hosting providers to distribute their malware.”
The attacks involved the threat actor creating fictional characters on the platform, posing as attractive young women to try to build trust with the targets and lure them into clicking links. bogus has deployed malware.
But in an interesting twist, the attackers convinced victims to download the iOS chat app through Apple TestFlight, a legitimate online service that can be used for beta testing apps and provides provide feedback to application developers.
“This means that hackers do not need to rely on exploits to deliver custom malware to their targets, and can use official Apple services to distribute apps to make apps seems more legit, as long as they convince people to download Apple Testflight and the researchers say tricked them into installing their chat app.
While the exact functionality of the app is unknown, it is suspected to have been used as a social engineering ploy as a means to monitor the campaign’s victims via a chat medium. organized for this purpose.
In addition, Bitter APT operators used previously undocumented Android malware called Dracarys, which abused the operating system’s access to install arbitrary applications. , record, take pictures and collect sensitive data from infected phones such as call logs, contacts, files, text messages, geolocation and device information.
Dracarys is distributed through trojanized drip apps like YouTube, Signal, Telegram, and WhatsApp, continuing the trend of attackers increasingly deploying malware masquerading as legitimate software to infiltrate mobile devices. motion.
Furthermore, in a sign of adaptation to the competition, Meta notes that the team has resisted its detection and prevention efforts by posting broken links or images of malicious links. on the chat thread, requiring the recipient to enter the link in their browser.
The origin of Bitter is a puzzle, there are not many indicators available to conclude with certainty with a particular country. It is believed to operate out of South Asia and has recently expanded its focus on attacking military features in Bangladesh.
Transparency Tribal Break Meta
The second collective to be disrupted by Meta was the Transparency Tribe (aka APT36), an advanced persistent threat believed to be based outside of Pakistan and with a track record of targeting government agencies in India and Afghanistan with specially designed malicious tools.
Last month, Cisco Talos attributed the actor to being part of an ongoing scam campaign targeting students at various educational institutions in India, marking a departure from its typical victim model to include users. Civil.
The latest infiltrations show a fusion of military personnel, government officials, human rights workers and other nonprofits, and students in Afghanistan, India, Pakistan, and Saudi Arabia. Ut and UAE.
Targets are designed on social networks using fake characters by posing as recruiters for both legitimate and fake companies, military or attractive young women who want to make a relationship romantically, eventually enticing them to open links hosting malware.
The downloaded files contain LazaSpy, a modified version of Android open-source surveillance software called XploitSPY that uses unofficial WhatsApp, WeChat, and YouTube clone apps to deliver a piece of malware. Other cargo damage is called Mobzsar (aka CapraSpy).
Both malware comes with features that collect call logs, contacts, files, text messages, geo-location, device information and photos, as well as activate the device’s microphone. , turning them into effective monitoring tools.
“This threat actor is a prime example of a global trend […] Where low-sophistication groups choose to rely on readily available malicious tools instead of investing in the development or purchase of sophisticated attack capabilities, the researchers said.
The “low cost basic tools” […] Requires less technical expertise to deploy, but still delivers results for attackers, the company said, adding that it “democratizes access to attack capabilities and monitoring when the barrier to entry is getting lower and lower. “