The parent company of Facebook, Meta, took action against two cross-platform cyberespionage operations earlier this year that depended on several websites for malware dissemination. Bitter APT is the first hacking organization that Meta stopped operating during the second quarter. The organization, also known as T-APT-17, has been active since at least 2013 and primarily targets government, engineering, and energy entities.
Meta has seen the hacker gang attack victims in India, New Zealand, Pakistan, and the United Kingdom with malware by exploiting link-shortening services, malicious and hacked websites, and third-party hosting companies. For the purpose of connecting with potential victims and earning their confidence before luring them into downloading malware, the gang has developed false identities that masquerade as young ladies, journalists, or activists.
A chat application for iOS delivered through Apple’s Testflight service has been observed being deployed by Bitter APT. It’s not clear, though, if the program was malevolent or if social engineering was its main purpose. In order to carry out malicious operations on the compromised devices, the hackers also made use of an Android malware family that misused the accessibility services. The malware, known as Dracarys, was inserted into unofficial versions of applications, including Signal, Telegram, YouTube, and WhatsApp. It allowed access to location data, user files, call logs, messages, contacts, and images, as well as the ability to install applications.
“This group has aggressively responded to our detection and blocking of its activity and domain infrastructure. For example, Bitter would attempt to post broken links or images of malicious links so that people would have to type them into their browser rather than click on them — all in an attempt to unsuccessfully evade enforcement,” notes Meta.
The second gang of hackers is APT36, based in Pakistan. The group is thought to be associated with the Pakistani government and has also been tracked as Transparent Tribe, Earth Karkaddan, Operation C-Major, PROJECTM, and Mythic Leopard. In Afghanistan, India, Pakistan, Saudi Arabia, and the United Arab Emirates, APT36 has been shown to target government employees, human rights advocates, military people, students, and non-profit groups.
To gain the trust of potential victims, the APT has been fabricating personalities like recruiters or beautiful young ladies. They employed a specialized infrastructure for distributing malware, which included faking genuine domains or operating app shops and photo-sharing websites. Additionally, the hackers have been seen hosting malware on file-sharing platforms like WeTransfer and employing link shortening services to conceal their harmful URLs.
In some attacks, the gang employed LazaSpy, a modified version of the Android spyware XploitSPY that is accessible on GitHub. In other incidents, APT36 used unofficial versions of WeChat, WhatsApp, and YouTube that were injected with the spy software Mobzsar or CapraSpy. These programs can access a variety of data on the victim’s device, including call logs, files, contacts, messages, location, and photos, as well as turn on the microphone.
“Our investigations and malware analysis into advanced persistent threat (APT) groups show a notable trend in which APTs choose to rely on openly available malicious tools, including open-source malware, rather than invest in developing or buying sophisticated offensive capabilities,” notes Meta.