SideCopy, a Pakistani threat actor is said to have used the platform to target people with ties to the Afghan government, military and law enforcement in Kabul.
Between April and August of 2021, the campaign which Meta described as a “well-resourced and persistent operation,” involved sending malicious links, often shortened using URL shortener services to websites hosting malware with the operators posing as young women and luring the recipients with romantic lures in order to get them to click on phishing links or download trojanized chat applications.
Meta, formerly known as Facebook announced on Tuesday that it had taken action against four separate malicious cyber groups from Pakistan and Syria that had been found targeting people in Afghanistan, as well as journalists, humanitarian organisations, and anti-regime military forces in the West Asian country.
Meta classified as three hacking networks linked to the Syrian government and Syria’s Air Force Intelligence
- Syrian Electronic Army used phishing links to deliver a mix of commercially available and custom malware such as njRAT and HmzaRat designed to harvest sensitive user information to humanitarian organisations, journalists and activists in Southern Syria, government critics and individuals associated with the anti-regime Free Syrian Army.
- APT-C-37 known as SandroRAT and an in-house developed malware family known as SSLove to target people linked to the Free Syrian Army and military personnel affiliated with opposition forces through social engineering schemes that duped users into visiting websites as Telegram, Facebook, YouTube and WhatsApp, as well as content concentrated on Islam.
- An unnamed government-linked hacking group that targeted minority groups, activists, opposition in Southern Syria, Kurdish journalists, and members of the People’s Protection Units and Syria Civil Defense, with the operation manifesting itself in the form of social engineering attacks that entailed sharing links to websites hosting malware-laced apps mimicking WhatsApp and YouTube, which installed SpyNote and Spymax remote administration tools on the devices.
Mike Dvilyanski, head of cyber espionage investigations, and David Agranovich, director of threat disruption at the social technology firm Concuded that “To disrupt these malicious groups, we disabled their accounts, blocked their domains from being posted on our platform, shared information with our industry peers, security researchers, and law enforcement and alerted the people we believe were targeted by these hackers.”
Indicator Of Compromise
1. Pakistan
Domains & C2s:
| Domain | Description |
| androappstore[.]com | Hosting PJobRAT and Mayhem |
| www[.]apphububstore[.]in | Hosting PJobRAT |
| appsstore[.]in | Hosting PJobRAT |
| apkstore.filehubspot[.]com | Believed to be hosting PJobRAT |
| helloworld.bounceme[.]net | Command and control server for PJobRAT |
| dasvidaniya.ddns[.]net | Command and control server for PJobRAT |
| gemtool.sytes[.]net | Command and control server for PJobRAT |
| saahas.servecounterstrike[.]com | Command and control server for Mayhem |
Hashes:
| MD5 | Description | Malware Family |
| 7804aa608d73e7a9447ae177c31856fe | ViberLite v4 | PJobRAT |
| a80a1b022fdcaa171e454086711dcf35 | ViberLite v3 | PJobRAT |
| a4f104e2058261c7dbfc1c69e1de8bce | ViberLite v2 | PJobRAT |
| 4ce92da8928a8d1d72289d126a9fe2f4 | HangOn V4e | PJobRAT |
| a53c74fa923edce0fa5919d11f945bcc | HangOn v4 | PJobRAT |
| 9fd4b37cbaf0d44795319977118d439d | HangOn | PJobRAT |
| 7bef7a2a6ba1b2aceb84ff3adb5db8b3 | TrendBanter | PJobRAT |
| v21b4327d6881be1893fd2a8431317f6b | Happy Chat | Mayhem |
2.. APT-C-37
Domains & C2s:
| Domain / IP | Description |
| 82.137.255[.]0 | Long running command and control server |
Hashes:
| MD5 | Description | Malware Family |
| 969fe5597a44bf4eb66ebdc7b09ef2c8 | Fake version of WhatsApp | SSLove |
3. Unnamed Cluster
Domains & C2s:
| Domain / IP | Description |
| f-b[.]today | Hosting SpyMax |
| messengers[.]video | Hosting SpyMax |
| whatsapp-sy[.]com | Hosting SpyMax |
| horan-free[.]com | Believed to have been hosting SpyMax |
| druze[.]life | Believed to have been hosting SpyMax |
| suwayda-24[.]com | Believed to have been hosting SpyMax |
| t-me[.]link | Believed to have been hosting SpyMax |
| lamat-horan[.]com | Hosting unnamed Android malware |
| anti-corona[.]app | Believed to have been hosting SpyMax |
| what-sapp[.]site | Believed to have been hosting SpyMax |
| informnapalm[.]net | Hosting trojanized apps for the YPG, Syrian Civil Defense, and malware pretending to be an update for WhatsApp. |
| facebook-helps-center[.]com | Older infrastructure hosting SpyMax malware pretending to be a WhatsApp update. |
| 46.4.83[.]140 | Command and control server |
| sputniknews[.]news | Believed to be attacker controlled |
| emmashop[.]app | Believed to be attacker controlled |
| face-book[.]xyz | Believed to be attacker controlled. |
Hashes:
| MD5 | Description | Malware Family |
| 762acdd53eb35cd48686b72811ba9f3c | Hosted on lamat-horan[.]com. First seen in 2019. 0 detections on VT. | Unnamed |
| fcf357556c3af14bab820810f5e94436 | Hosted on f-b[.]today. Masquerading as a Syrian satellite TV app. | SpyMax |
| e8a528491b28e4d62a472da7396c7047 | Hosted on f-b[.]today. Masquerading as a YouTube update. | SpyMax |
| 1c16ee8b2f0dff7280e1d97522ee7e3f | Hosted on informnapalm[.]net. A Syria themed APK. | SpyNote |
| ce274c0bd0743695529a43d7992e2d2c | Hosted on informnapalm[.]net. Masquerading as a WhatsApp update. | SpyMax |
| 185062606b168f04b8b583045d300be5 | Hosted on informnapalm[.]net. Masquerading as an app for the YPG. | SpyMax |
| c2e55b0d7be1c1991a5b70be7280e528 | Hosted on informnapalm[.]net. Masquerading as an app for the Syrian Civil Defence. | SpyMax |
CyberWorkx 