Researchers from ESET reported on Tuesday that reveal a year – long mobile spying campaign attacking the Kurdish Ethnic group which includes the deployment of two Android backdoors that noted as legitimate apps.
“Most of the malicious Facebook posts led to downloads of the commercial, multi-platform 888 RAT, which has been available on the black market since 2018”.Atleast 28 Malware Facebook posts lead potential victims to download Android 888 Rat or Spyware.
Researchers observed that atleast from march 2020, The attacks was divided into six dedicated Facebook Profiles with that two are aimed at Android users while other Four are appeared to provide news for the Kurdish Supporters.The Slovakian Cybersecurity reffered the group as BladeHawk.
“We identified six Facebook profiles as part of this BladeHawk campaign, sharing these Android spying apps. We reported these profiles to Facebook and they have all been taken down. Two of the profiles were aimed at tech users while the other four posed as Kurd supporters. All these profiles were created in 2020 and shortly after creation they started posting these fake apps. These accounts, except for one, have not posted any other content besides Android RATs masquerading as legitimate apps.”
“These profiles are also responsible for sharing espionage apps to Facebook public groups, most of which were supporters of Masoud Barzani, former President of the Kurdistan Region; an example can be seen in Figure 1. Altogether, the targeted groups have over 11,000 followers.” reads the blogpost.
According to ESET, the most infections out of the top ten are in India, Ukraine, and the United Kingdom over a three-year period beginning on August 18, 2018, with Romania, the Netherlands, Pakistan, Iraq, Russia, Ethiopia, and Mexico.
The Similar Attack was closely linked to two additional events that came to light in 2020, including the public exposure of a BladeHawk attack on C&C servers with overlaps, 888 RAT, and Facebook dependence in terms of malware delivery by QiAnxin, a chinese cybersecurity services firm.
The infection chain concludes in the deployment of the 888 RAT, regardless of the app installed. Originally designed as a $80 Windows remote access trojan (RAT), the implant’s increased capabilities have allowed it to target Android and Linux systems for an additional $150 (Pro) and $200 (Extreme) correspondingly.
IOC’s for this threat can be found here.