Meta, Facebook’s parent company, announced that it took action against two South Asian spying operations that used its social networking platform to transmit malware to potential targets. The Two groups are Bitter APT and Transparent Tribe.
Meta crack down on Bitter APT
The first set of actions is described as “persistent and well resourced” and is known as Bitter APT (aka APT-C-08 or T-APT-17) and targets persons in New Zealand. Hacking gang has been identified. India, Pakistan, and the United Kingdom.
“Bitter used a range of malicious approaches, including social engineering, to target users online and infect their devices with malware,” Meta said in its quarterly Adversarial Threat Report. “They distributed their virus via a combination of link-shortening services, malicious domains, hacked websites, and third-party hosting providers.”
In order to gain the target’s trust and convince them to click on malicious links, the threatening actor pretended to be an imaginary person on stage appearing as a beautiful young woman.
But in an interesting twist, attackers persuaded victims to download an iOS chat application through Apple TestFlight, a legitimate online service that can be used to beta-test apps and provide feedback to app developers. Is.
As long as they convinced people to download Apple TestFlight and tricked them into installing their own chat application, hackers did not need to rely on exploits to distribute custom malware to targets. Instead, they could use official Apple services to distribute the app in an effort to make it appear more legitimate.
Although the app’s precise operation is unknown, it is assumed to have been used as a social engineering ruse to monitor the campaign’s victims via a chat platform set up for this reason.
Additionally, Bitter APT operators used a previously unspecified Android malware dubbed Dracaries, which abused the operating system’s accessibility permissions to install arbitrary apps, record audio, capture photos, and infected phones such as To decrypt sensitive data from call logs, contacts, files. Text messages, geolocation and device information.
Drakery was distributed through Trojanized dropper apps posing as YouTube, Signal, Telegram and WhatsApp, continuing the trend of attackers rapidly deploying malware disguised as legitimate software to break into mobile devices. .
Furthermore, in a sign of adverse adaptation, Meta noted that the group countered their detection and blocking efforts by posting images of broken links or malicious links on chat threads, allowing recipients to type the link into their browser. is required to do.
The origin of the bitter is an enigma, with not many indicators available to conclusively tie it to a specific country. It is believed to operate from South Asia and has recently been focused on attacking military entities in Bangladesh.
Meta crack down on Transparent Tribe
The second group to be disrupted by META is the Transparent Tribe (aka APT36), an advanced persistent threat reportedly based out of Pakistan and which has a track record of targeting government agencies in India and Afghanistan with bespoke malicious tools.
Last month, Cisco Talos blamed the actor for an ongoing phishing campaign targeting students at various educational institutions in India, marking a departure from its typical hunting science pattern to include civilian users.
The latest set of infiltrators suggests an amalgamation, involving military personnel, government officials, human rights employees and other non-profit organizations and students based in Afghanistan, India, Pakistan, Saudi Arabia and the United Arab Emirates.
Targets are socially designed to use fake individuals by posing as recruiters for legitimate and fake companies, military personnel, or attractive young women looking to build a romantic relationship, ultimately luring them into opening links that host malware. Had gone.
The downloaded files include LazaSpy, a modified version of an open source Android monitoring software called XploitSPY, while the unofficial WhatsApp, WeChat and YouTube clone apps used another commodity malware known as Mobzsar (aka CapraSpy). Goes to distribute.
Both pieces of malware come with features to enable the device’s microphone to collect call logs, contacts, files, text messages, geolocation, device information and photos, making them effective surveillance tools. .
“This threatening actor is a good example of the global trend […] Where less-sophisticated groups choose to rely on openly available malicious tools rather than invest in developing or purchasing sophisticated offensive capabilities,” the researchers said.
These “basic low-cost devices” […] Requires less technical expertise to deploy, yet yields consequences for attackers,” the company said, “democratizes access to hacking and surveillance capabilities as the barrier of entry is lowered.”