Kurdish ethnic group faces spyware attacks
A mobile campaign was detected by researchers that targeted the Kurdish ethnic group by deploying Android backdoors that disguise as genuine apps.
The attacks seemed to be active since March last year. These also leveraged six Facebook profiles, claiming to provide tech and pro-Kurd content. Two of these were targeted at Android users, while the rest seemed to offer news for the Kurdish supporters. But their aim was to share links to spying apps on Facebook public groups. These profile have been taken down after identification.
ESET researcher Lukas Stefanko highlighted that through 28 infected Facebook posts, it targeted the Kurdish ethnic. This would lead the victims to download Android 888 RAT or SpyNote. The cybersecurity firm linked the attacker to the BladeHawk group.
Also Read: Experts identify a new Russian Malware
At one point, the operators shared a Facebook post encouraging the download of a snapchat app. This used a phishing website to capture Snapchat credentials. Irrespective of the app installed, every infection leads to the deployment of the 888 RAT.
The commercial RAT is equipped to run 42 commands received from its command-and-control (C&C) server. Some of its notable features include the skills to steal and delete files from a device, take screenshots, collect device location, dig Facebook credentials, get a list of installed apps, collect user photos, take photos, record calls, conduct calls, steal messages and contact lists, and direct text messages.
The spying actions seem to be connected to other occurrences observed in 2020, including a public disclosure from QiAnXin that defined a BladeHawk attack in the same pattern, i.e., overlaps in the use of command-and-control servers, 888 RAT, and Facebook posts for transferring malware.
Moreover, the Android 888 RAT is linked to two more campaigns. One involved spyware masked as TikTok, and the other was by the Kasablanca Group, where it conducted an operation for information gathering.