Attackers have been targeting the Kurdish ethic group for over a year through a Facebook-based spyware campaign that disguises backdoors in legitimate Android apps, researchers have found.
Pro-Kurd Facebook profiles deliver ‘888 RAT’ & ‘SpyNote’ trojans, masked as legitimate apps, to perform mobile espionage.
A group called BladeHawk is behind the campaign, discovered by researchers from cyber-security firm ESET and active since at least March 2020, according to a report published this week. The campaign disguises the 888 RAT in Android apps using dedicated Facebook profiles, researchers aid.
“These profiles appeared to be providing Android news in Kurdish, & news for the Kurds’ supporters,” ESET malware researcher Lukas Stefanko wrote in the report, published Wed. “Some of the profiles deliberately spread additional spying apps to Facebook public groups with pro-Kurd content.”
Android Spying Apps
In all, researchers identified 6 profiles as part of the BladeHawk campaign, which have been sharing the Android spying apps & targeted about 11,000 followers through 28 unique posts. The profiles have been reported to Facebook & since disabled, Stefanko said.
Each of these posts in the campaign contained fake app descriptions & links to download an app, according to the post. Researches downloaded 17 unique Android application packages (APKs) from these links, some of which pointed directly to the malicious apps.
“2 of the profiles were aimed at tech users, while the other 4 posed as Kurd supporters,” he wrote. “All these profiles were created in 2020 & shortly after creation they started posting these fake apps. These accounts, except for 1, have not posted any other content besides Android RATs masquerading as legitimate apps.”
Other links pointed to the 3rd-party upload service top4top.io, which tracks the number of file downloads. Data from that service shows that there have been at least 1,481 downloads of the malicious apps from URLs promoted in just a few Facebook posts between July 20, 2020 & June 28, 2021, researchers found.
Attackers also shared espionage apps to public Facebook groups, most of which support of Masoud Barzani, the former president of the Kurdistan Region, Stefanko stated.
The key payload of the campaign is the multiplatform 888 RAT, which previously was used in 2 other organised campaigns —1 targeting TikTok users with TikTok Pro spyware & another by the Kasablanka group, according to ESET.
888 RAT originally only was published for the Windows ecosystem & sold on the Dark Web for $80. In June 2018, a Pro version of the RAT costing $150 extended its capability for Android, while an Extreme version released later & sold for $200 could create Linux-based payloads as well.
The 888 RAT used in the BladeHawk campaign includes the ability to: Steal & delete files from a device; take screenshots; get device location; get a list of installed apps; steal user photos; take photos; record surrounding audio & phone calls; make calls; steal SMS messages; steal the device’s contact list; & send text messages.
Phish Facebook Credentials
The RAT also can phish Facebook credentials by deploying activity that appears to be coming from the legitimate Facebook app, Stefanko wrote.
“When the user taps on the recent apps button, this activity will seem legitimate,” he wrote. “However, after a long press on this app’s icon, as in Figure 8, the true app name responsible for the Facebook login request is disclosed.”
ESET has published a list of file names, Facebook profiles & groups, & distribution & phishing links associated with the BladeHawk campaign in the post.