Home>Blog>The Hacker News Headlines>Meta Cracks Down on Cyber Espionage Operations in South Asia Abusing Facebook
The Hacker News Headlines

Meta Cracks Down on Cyber Espionage Operations in South Asia Abusing Facebook

Cyber Espionage Operations

Facebook parent company Meta disclosed that it took action
against two espionage operations in South Asia that leveraged its
social media platforms to distribute malware to potential
targets.

The first set of activities is what the company described as
“persistent and well-resourced” and undertaken by a hacking group
tracked under the moniker Bitter APT (aka APT-C-08 or T-APT-17)
targeting individuals in New Zealand, India, Pakistan and the
U.K.

“Bitter used various malicious tactics to target people online
with social engineering and infect their devices with malware,”
Meta said[1]
in its Quarterly Adversarial Threat Report. “They used a mix of
link-shortening services, malicious domains, compromised websites,
and third-party hosting providers to distribute their malware.”

The attacks involved the threat actor creating fictitious
personas on the platform, masquerading as attractive young women in
a bid to build trust with targets and lure them into clicking on
bogus links that deployed malware.

But in an interesting twist, the attackers convinced victims to
download an iOS chat application via Apple TestFlight[2], a legitimate online
service that can be used for beta-testing apps and providing
feedback to app developers.

CyberSecurity

“This meant that hackers didn’t need to rely on exploits to
deliver custom malware to targets and could utilize official Apple
services to distribute the app in an effort to make it appear more
legitimate, as long as they convinced people to download Apple
Testflight and tricked them into installing their chat
application,” the researchers said.

While the exact functionality of the app is unknown, it’s
suspected to have been employed as a social engineering ploy as a
means to have oversight over the campaign’s victims through a chat
medium orchestrated for this purpose.

Additionally, the Bitter APT operators used a previously
undocumented Android malware dubbed Dracarys, which abuses the
operating system’s accessibility permissions[3] to install arbitrary
apps, record audio, capture photos, and harvest sensitive data from
the infected phones such as call logs, contacts, files, text
messages, geolocation, and device information.

Dracarys was delivered through trojanized dropper apps[4]
posing as YouTube, Signal, Telegram, and WhatsApp, continuing the
trend of attackers increasingly deploying malware disguised as
legitimate software to break into mobile devices.

Furthermore, in a sign of adversarial adaptation, Meta noted the
group countered its detection and blocking efforts by posting
broken links or images of malicious links on the chat threads,
requiring the recipients to type the link into their browsers.

Bitter’s origins are something of a puzzle, with not many
indicators available to conclusively tie to a specific country.
It’s believed to operate out of South Asia and recently expanded
focus to strike military entities[5] in Bangladesh.

Meta cracks down on Transparent Tribe

The second collective to be disrupted by Meta is Transparent
Tribe (aka APT36), an advanced persistent threat alleged to be
based out of Pakistan and which has a track record of targeting
government agencies in India and Afghanistan with bespoke malicious
tools.

Last month, Cisco Talos attributed[6]
the actor to an ongoing phishing campaign targeting students at
various educational institutions in India, marking a departure from
its typical victimology pattern to include civilian users.

The latest set of intrusions suggest an amalgamation, having
singled out military personnel, government officials, employees of
human rights and other non-profit organizations, and students
located in Afghanistan, India, Pakistan, Saudi Arabia, and the
U.A.E.

CyberSecurity

The targets were social engineered using fake personas by posing
as recruiters for both legitimate and fake companies, military
personnel, or attractive young women looking to make a romantic
connection, ultimately enticing them into opening links hosting
malware.

The downloaded files contained LazaSpy, a modified version of an
open source Android monitoring software called XploitSPY[7], while also making use
of unofficial WhatsApp, WeChat and YouTube clone apps to deliver
another commodity malware known as Mobzsar (aka CapraSpy).

Both pieces of malware come with features to gather call logs,
contacts, files, text messages, geolocation, device information,
and photos, as well as enable the device’s microphone, making them
effective surveillance tools.

“This threat actor is a good example of a global trend […] where low-sophistication groups choose to rely on openly available
malicious tools, rather than invest in developing or buying
sophisticated offensive capabilities,” the researchers said.

These “basic low-cost tools […] require less technical
expertise to deploy, yet yield results for the attackers
nonetheless,” the company said, adding it “democratizes access to
hacking and surveillance capabilities as the barrier to entry
becomes lower.”

References

  1. ^
    said
    (about.fb.com)
  2. ^
    TestFlight
    (en.wikipedia.org)
  3. ^
    accessibility permissions
    (thehackernews.com)
  4. ^
    dropper
    apps     (thehackernews.com)
  5. ^
    strike
    military entities     (thehackernews.com)
  6. ^
    attributed
    (thehackernews.com)
  7. ^
    XploitSPY
    (github.com)

Read more

Leave a Reply

Powered By Anakyst UK Work done easy Discover Great Places People Websites in Nigeria. Be Discovered and Discover Great Places People Products & Websites in Nigeria. Tell us what you need to advertise online onradio ontv and where you want to advertise and discover talented publishers and advertisers within minutes for just a fraction of the cost!JobScout | Developed By Rara Theme. Powered by WordPress.