Meta Disrupted Two Cyberespionage Operations in South Asia

Facebook’s parent company Meta took action earlier this year against two cross-platform cyberespionage operations that relied on various online services for malware distribution.

The first group of hackers that Meta disrupted during the second quarter is Bitter APT. Also called T-APT-17, the group has been around since at least 2013, targeting entities in the energy, engineering, and government sectors.

Meta has observed the hacking group using link-shortening services, malicious and compromised domains, and third-party hosting providers to target victims in India, New Zealand, Pakistan and the United Kingdom with malware.

The group has created fictitious personas – posing as young women, journalists or activists – to connect with potential victims and gain their trust before tricking them into downloading malware.

Bitter APT has been seen deploying a chat application for iOS distributed via Apple’s Testflight service. However, it’s unclear whether the application was malicious or was only used for social engineering.

The hackers have also used an Android malware family that abused the accessibility services to perform nefarious actions on the infected devices.

Dubbed Dracarys, the malware was injected in non-official versions of apps such as Signal, Telegram, YouTube, and WhatsApp, offering access to device information, call logs, messages, contacts, user files, location, and providing the ability to take photos, enable microphone, and install apps.

“This group has aggressively responded to our detection and blocking of its activity and domain infrastructure. For example, Bitter would attempt to post broken links or images of malicious links so that people would have to type them into their browser rather than click on them — all in an attempt to unsuccessfully evade enforcement,” Meta notes.

Operating out of Pakistan, the second group of hackers is APT36. Also tracked as Transparent Tribe, Earth Karkaddan, Operation C-Major, PROJECTM, and Mythic Leopard, the group is believed to be linked to the Pakistani government.

APT36 has been observed targeting government officials, human rights activists, military personnel, students, and non-profit organizations in Afghanistan, India, Pakistan, Saudi Arabia, and UAE.

The APT has been creating fictitious personas – such as recruiters or attractive young women – to build trust with their potential victims. For malware deployment, they used a custom infrastructure, including domains masquerading as app stores and photo-sharing websites, or spoofing legitimate domains.

Furthermore, the hackers have been observed using link-shortening services to hide their malicious URLs, and hosting malware on file-sharing services like WeTransfer.

In some attacks, the group used LazaSpy, a modified version of the XploitSPY Android malware, which is available on GitHub.

In other incidents, APT36 deployed non-official versions of YouTube, WhatsApp, and WeChat, which have been injected with Mobzsar or CapraSpy, which can access various types of information on the victim device, including call logs, contacts, files, location, messages, and photos, and can enable the microphone.

“Our investigations and malware analysis into advanced persistent threat (APT) groups show a notable trend in which APTs choose to rely on openly available malicious tools, including open-source malware, rather than invest in developing or buying sophisticated offensive capabilities,” Meta notes.

Related: Chinese APT ‘Bronze Starlight’ Uses Ransomware to Disguise Cyberespionage

Related: New ‘ToddyCat’ APT Targets High-Profile Entities in Europe, Asia

Related: Volexity Blames ‘DriftingCloud’ APT For Sophos Firewall Zero-Day