Meta, Facebook’s parent company, has disrupted two cross-platform cyber espionage campaigns. The malicious operations mainly relied on online platforms to deliver malware.

The announcement was made in Meta’s Quarterly Adversarial Threat Report, Second Quarter 2022, published this Thursday.

Meta’s Crackdown Against Cyber espionage Operations

According to Meta’s global threat intelligence lead, Ben Nimmo, and director of threat disruption, David Agranovich, earlier this year, Meta sabotaged the operations of two hacker groups targeting Facebook in cyber espionage campaigns.

The company noticed multiple policy violations worldwide, mainly by two hacking groups, both of which operated out of South Asia.

Targeted Groups

The first group is identified as Bitter APT aka T-APT-17. This group has been active since 2013 and was disrupted in the 2nd quarter of 2022. It targeted organizations in the engineering, energy, and government sectors.

The other group is APT36 which is known for delivering Crimson RAT. This group targeted people in India, Pakistan, Afghanistan, UAE, and Saudi Arabia. Their primary victims included government and military officials, human rights employees, and people associated with non-profit organizations.

As per Meta’s investigation, the activities of APT36 who is also known as Earth Karkaddan were connected to Pakistan-based state-linked actors.

Victims of Cyber Espionage Campaigns

Bitter APT used many malicious tactics to target people online, including social engineering. They used different strategies to distribute malware, such as link-shortening services, infected websites, malicious domains, and third-party hosting service providers.

A similar case was noticed with ATP36 as their TTPs were also low in sophistication but good in persistence and attack tactics. The group targeted email providers, social media, and file-hosting services.

Meta revealed that the hacker groups targeted people in India, Pakistan, New Zealand, and the United Kingdom. Although they had low operational security and sophistication levels, the groups were well-resourced and persistent.

The hackers used fictitious personas such as posing as journalists, young women, and activists to connect with their victims and gain their trust before luring them into downloading malware.

Attack Tactics, Techniques, and Procedures

Regarding TTPs (tactics, techniques, and procedures), Bitter ATP used a combination of social engineering, adversarial adaptation, Android malware dubbed by Meta as Dracarys, and an iOS application. 

“As such, APT36 is known for using a range of different malware families, and we found that in this recent operation it had also trojanized (non-official) versions of WhatsApp, WeChat, and YouTube with another commodity malware family known as Mobzsar or CapraSpy,” the report read.

Bitter APT deployed a chat application for iOS, which the group distributed through Apple’s Testflight service. Still, there’s no evidence that the application was just used for social engineering or contained malware.

They also used Dracarys Android malware to exploit accessibility services for carrying out malicious activities on the infected devices. This malware was injected into unofficial versions of Telegram, Signal, WhatsApp, and YouTube and collected device data, messages, call logs, user files, contacts, and location data, and could take photos, install apps, and activate the microphone.

In conclusion, it’s clear that social media platforms can be abused by cybercriminals for malicious purposes. Although Meta has done its job, It’s important for users to be aware of these threats and take steps to protect their information.

  1. Facebook ads dropped malware posing as a Clubhouse app for PC
  2. Mandrake Android malware stealing Facebook, crypto data since 2016
  3. Ducktail Malware Exploits LinkedIn to Hack Facebook Business Accounts
  4. CopperStealer malware stealing Facebook, Apple, and Google passwords
  5. Facebook removes 100s of accounts for spreading iOS and Android malware

Posted by Charlie