Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cyberwarfare

Meta Disrupted Two Cyberespionage Operations in South Asia

Facebook’s parent company Meta took action earlier this year against two cross-platform cyberespionage operations that relied on various online services for malware distribution.

Facebook’s parent company Meta took action earlier this year against two cross-platform cyberespionage operations that relied on various online services for malware distribution.

The first group of hackers that Meta disrupted during the second quarter is Bitter APT. Also called T-APT-17, the group has been around since at least 2013, targeting entities in the energy, engineering, and government sectors.

Meta has observed the hacking group using link-shortening services, malicious and compromised domains, and third-party hosting providers to target victims in India, New Zealand, Pakistan and the United Kingdom with malware.

The group has created fictitious personas – posing as young women, journalists or activists – to connect with potential victims and gain their trust before tricking them into downloading malware.

Bitter APT has been seen deploying a chat application for iOS distributed via Apple’s Testflight service. However, it’s unclear whether the application was malicious or was only used for social engineering.

The hackers have also used an Android malware family that abused the accessibility services to perform nefarious actions on the infected devices.

Dubbed Dracarys, the malware was injected in non-official versions of apps such as Signal, Telegram, YouTube, and WhatsApp, offering access to device information, call logs, messages, contacts, user files, location, and providing the ability to take photos, enable microphone, and install apps.

“This group has aggressively responded to our detection and blocking of its activity and domain infrastructure. For example, Bitter would attempt to post broken links or images of malicious links so that people would have to type them into their browser rather than click on them — all in an attempt to unsuccessfully evade enforcement,” Meta notes.

Advertisement. Scroll to continue reading.

Operating out of Pakistan, the second group of hackers is APT36. Also tracked as Transparent Tribe, Earth Karkaddan, Operation C-Major, PROJECTM, and Mythic Leopard, the group is believed to be linked to the Pakistani government.

APT36 has been observed targeting government officials, human rights activists, military personnel, students, and non-profit organizations in Afghanistan, India, Pakistan, Saudi Arabia, and UAE.

The APT has been creating fictitious personas – such as recruiters or attractive young women – to build trust with their potential victims. For malware deployment, they used a custom infrastructure, including domains masquerading as app stores and photo-sharing websites, or spoofing legitimate domains.

Furthermore, the hackers have been observed using link-shortening services to hide their malicious URLs, and hosting malware on file-sharing services like WeTransfer.

In some attacks, the group used LazaSpy, a modified version of the XploitSPY Android malware, which is available on GitHub.

In other incidents, APT36 deployed non-official versions of YouTube, WhatsApp, and WeChat, which have been injected with Mobzsar or CapraSpy, which can access various types of information on the victim device, including call logs, contacts, files, location, messages, and photos, and can enable the microphone.

“Our investigations and malware analysis into advanced persistent threat (APT) groups show a notable trend in which APTs choose to rely on openly available malicious tools, including open-source malware, rather than invest in developing or buying sophisticated offensive capabilities,” Meta notes.

Related: Chinese APT ‘Bronze Starlight’ Uses Ransomware to Disguise Cyberespionage

Related: New ‘ToddyCat’ APT Targets High-Profile Entities in Europe, Asia

Related: Volexity Blames ‘DriftingCloud’ APT For Sophos Firewall Zero-Day

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Cyberwarfare

WASHINGTON - Cyberattacks are the most serious threat facing the United States, even more so than terrorism, according to American defense experts. Almost half...

Cyberwarfare

Russian espionage group Nomadic Octopus infiltrated a Tajikistani telecoms provider to spy on 18 entities, including government officials and public service infrastructures.

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Cyberwarfare

Several hacker groups have joined in on the Israel-Hamas war that started over the weekend after the militant group launched a major attack.

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Cybercrime

On the first anniversary of Russia’s invasion of Ukraine, cybersecurity companies summarize the cyber operations they have seen and their impact.

Cyberwarfare

The war in Ukraine is the first major conflagration between two technologically advanced powers in the age of cyber. It prompts us to question...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...