Cybersecurity researchers on Tuesday released new findings that reveal a year-long mobile espionage campaign against the Kurdish ethnic group to deploy two Android backdoors that masquerade as legitimate apps.
Active since at least March 2020, the attacks leveraged as many as six dedicated Facebook profiles that claimed to offer tech and pro-Kurd content — two aimed at Android users while the other four appeared to provide news for the Kurdish supporters — only to share links to spying apps on public Facebook groups. All the six profiles have since been taken down.
“It targeted the Kurdish ethnic group through at least 28 malicious Facebook posts that would lead potential victims to download Android 888 RAT or SpyNote,” ESET researcher Lukas Stefanko said. “Most of the malicious Facebook posts led to downloads of the commercial, multi-platform 888 RAT, which has been available on the black market since 2018.”
The Slovakian cybersecurity firm attributed the attacks to a group it refers to as BladeHawk.
In one instance, the operators shared a Facebook post urging users to download a “new snapchat” app that’s designed to capture Snapchat credentials via a phishing website. A total of 28 rogue Facebook posts have been identified as part of the latest operation, complete with fake app descriptions and links to download the Android app, from which 17 unique APK samples were obtained. The spying apps were downloaded 1,481 times from July 20, 2020, until June 28, 2021.
Regardless of the app installed, the infection chain culminates in the deployment of the 888 RAT. Originally conceived as a Windows remote access trojan (RAT) for a price tag of $80, new capabilities added to the implant have allowed it to target Android and Linux systems at an added cost of $150 (Pro) and $200 (Extreme), respectively.
The commercial RAT runs the typical spyware gamut in that it’s equipped to run 42 commands received from its command-and-control (C&C) server. Some of its prominent functions include the ability to steal and delete files from a device, take screenshots, amass device location, swipe Facebook credentials, get a list of installed apps, gather user photos, take photos, record surrounding audio and phone calls, make calls, steal SMS messages and contact lists, and send text messages.
According to ESET, India, Ukraine, and the U.K. account for the most infections over the three-year period starting from August 18, 2018, with Romania, The Netherlands, Pakistan, Iraq, Russia, Ethiopia, and Mexico rounding off the top 10 spots.
The espionage activity has been linked directly to two other incidents that came to light in 2020, counting a public disclosure from Chinese cybersecurity services company QiAnXin that detailed a BladeHawk attack with the same modus operandi, with overlaps in the use of C&C servers, 888 RAT, and the reliance on Facebook for distributing malware.
Additionally, the Android 888 RAT has been connected to two more organized campaigns — one that involved spyware disguised as TikTok and an information-gathering operation undertaken by the Kasablanca Group.