Facebook’s parent company Meta revealed that it took action against two spying operations in South Asia that leveraged its social media platform to distribute malware to potential targets.
The first set of activities is what the company describes as “persistent and well resourced” and under the moniker Bitter APT (aka APT-C-08 or T-APT-17) targeting individuals in New Zealand. Tracked hacking group. India, Pakistan and UK
“Bitter used various malicious tactics with social engineering to target people online and infect their devices with malware,” Meta said in its quarterly Adversarial Threat Report. “They used a mix of link-shortening services, malicious domains, compromised websites, and third-party hosting providers to distribute their malware.”
In the attacks, the threatening actor was posing as imaginary person on stage, posing as attractive young women to build trust with the target and entice them to click on bogus links that deployed malware.
But in an interesting twist, attackers persuaded victims to download an iOS chat application through Apple TestFlight, a legitimate online service that can be used to beta-test apps and provide feedback to app developers. Is.
This meant that hackers did not need to rely on exploits to deliver custom malware to targets and could use official Apple services to distribute the app in an effort to make the app appear more legitimate, as long as That they convinced people to download Apple TestFlight and tricked them into installing their own chat application,” the researchers said.
Although the exact functionality of the app is unknown, it is suspected to have been employed as a social engineering ploy, as a means to keep tabs on the victims of the campaign through a chat medium organized for this purpose.
Additionally, Bitter APT operators used a previously unspecified Android malware dubbed Dracaries, which abused the operating system’s accessibility permissions to install arbitrary apps, record audio, capture photos, and infected phones such as To decrypt sensitive data from call logs, contacts, files. Text messages, geolocation and device information.
Drakery was distributed through Trojanized dropper apps posing as YouTube, Signal, Telegram and WhatsApp, continuing the trend of attackers rapidly deploying malware disguised as legitimate software to break into mobile devices. .
Furthermore, in a sign of adverse adaptation, Meta noted that the group countered their detection and blocking efforts by posting images of broken links or malicious links on chat threads, allowing recipients to type the link into their browser. is required to do.
The origin of the bitter is an enigma, with not many indicators available to conclusively tie it to a specific country. It is believed to operate from South Asia and has recently been focused on attacking military entities in Bangladesh.
Meta crack down on Transparent Tribe
The second group to be disrupted by META is the Transparent Tribe (aka APT36), an advanced persistent threat reportedly based out of Pakistan and which has a track record of targeting government agencies in India and Afghanistan with bespoke malicious tools.
Last month, Cisco Talos blamed the actor for an ongoing phishing campaign targeting students at various educational institutions in India, marking a departure from its typical hunting science pattern to include civilian users.
The latest set of infiltrators suggests an amalgamation, involving military personnel, government officials, human rights employees and other non-profit organizations and students based in Afghanistan, India, Pakistan, Saudi Arabia and the United Arab Emirates.
Targets are socially designed to use fake individuals by posing as recruiters for legitimate and fake companies, military personnel, or attractive young women looking to build a romantic relationship, ultimately luring them into opening links that host malware. Had gone.
The downloaded files include LazaSpy, a modified version of an open source Android monitoring software called XploitSPY, while the unofficial WhatsApp, WeChat and YouTube clone apps used another commodity malware known as Mobzsar (aka CapraSpy). Goes to distribute.
Both pieces of malware come with features to enable the device’s microphone to collect call logs, contacts, files, text messages, geolocation, device information and photos, making them effective surveillance tools. .
“This threatening actor is a good example of the global trend […] Where less-sophisticated groups choose to rely on openly available malicious tools rather than invest in developing or purchasing sophisticated offensive capabilities,” the researchers said.
These “basic low-cost devices” […] Requires less technical expertise to deploy, yet yields consequences for attackers,” the company said, “democratizes access to hacking and surveillance capabilities as the barrier of entry is lowered.”