Facebook parent company Meta disclosed that it took action against two espionage operations in South Asia that leveraged its social media platforms to distribute malware to potential targets.
The first set of activities is what the company described as “persistent and well-resourced” and undertaken by a hacking group tracked under the moniker Bitter APT (aka APT-C-08 or T-APT-17) targeting individuals in New Zealand, India, Pakistan, and the U.K.
“Bitter used various malicious tactics to target people online with social engineering and infect their devices with malware,” Meta said in its Quarterly Adversarial Threat Report. “They used a mix of link-shortening services, malicious domains, compromised websites, and third-party hosting providers to distribute their malware.”
The attacks involved the threat actor creating fictitious personas on the platform, masquerading as attractive young women in a bid to build trust with targets and lure them into clicking on bogus links that deployed malware.
But in an interesting twist, the attackers convinced victims to download an iOS chat application via Apple TestFlight, a legitimate online service that can be used for beta-testing apps and providing feedback to app developers.
“This meant that hackers didn’t need to rely on exploits to deliver custom malware to targets and could utilize official Apple services to distribute the app in an effort to make it appear more legitimate, as long as they convinced people to download Apple Testflight and tricked them into installing their chat application,” the researchers said.
While the exact functionality of the app is unknown, it’s suspected to have been employed as a social engineering ploy to have oversight over the campaign’s victims through a chat medium orchestrated specifically for this purpose.
Additionally, the Bitter APT operators used a previously undocumented Android malware dubbed Dracarys, which abuses the operating system’s accessibility permissions to install arbitrary apps, record audio, capture photos, and harvest sensitive data from the infected phones such as call logs, contacts, files, text messages, geolocation, and device information.
Dracarys was delivered through trojanized dropper apps posing as YouTube, Signal, Telegram, and WhatsApp, continuing the trend of attackers increasingly deploying malware disguised as legitimate software to break into mobile devices.
Furthermore, in a sign of adversarial adaptation, Meta noted the group countered its detection and blocking efforts by posting broken links or images of malicious links on the chat threads, requiring the recipients to type the link into their browsers.
Bitter’s origins are something of a puzzle, with not many indicators available to conclusively tie it to a specific country. It’s believed to operate out of South Asia and recently expanded focus to strike military entities in Bangladesh.
Transparent Tribe targets governments with LazaSpy malware
The second collective to be disrupted by Meta is Transparent Tribe (aka APT36), an advanced persistent threat alleged to be based out of Pakistan and which has a track record of targeting government agencies in India and Afghanistan with bespoke malicious tools.
Last month, Cisco Talos attributed the actor to an ongoing phishing campaign targeting students at various educational institutions in India, marking a departure from its typical victimology pattern to include civilian users.
The latest set of intrusions suggest an amalgamation, having singled out military personnel, government officials, employees of human rights and other non-profit organizations, and students located in Afghanistan, India, Pakistan, Saudi Arabia, and the U.A.E.
The targets were social engineered using fake personas by posing as recruiters for both legitimate and fake companies, military personnel, or attractive young women looking to make a romantic connection, ultimately enticing them into opening links hosting malware.
The downloaded files contained LazaSpy, a modified version of an open source Android monitoring software called XploitSPY, while also making use of unofficial WhatsApp, WeChat and YouTube clone apps to deliver another commodity malware known as Mobzsar (aka CapraSpy).
Both pieces of malware come with features to gather call logs, contacts, files, text messages, geolocation, device information, and photos, as well as enable the device’s microphone, making them effective surveillance tools.
“This threat actor is a good example of a global trend […] where low-sophistication groups choose to rely on openly available malicious tools, rather than invest in developing or buying sophisticated offensive capabilities,” the researchers said.
These “basic low-cost tools […] require less technical expertise to deploy, yet yield results for the attackers nonetheless,” the company said, adding it “democratizes access to hacking and surveillance capabilities as the barrier to entry becomes lower.”