Security researchers from ESET said that a hacker group, BladeHawk, is targeting the Kurdish ethnic group using Android phones. The attackers use social media platforms for distribution of fake mobile apps. The campaign is believed to have been active since March 2017.
The researchers also identified six Facebook profiles that were connected to BladeHawk. While they were active, these individuals posed as individuals from the tech industry and as supporters of the group and distributed links to malicious applications.
According to security researchers, the apps were downloaded at least 1,481 times. BladeHawk’s fake apps were marketed as Kurdish community news services. They, however, contained two Android-based malware samples: SpyNote, which allow attackers to snoop on their victims and 888 RAT (Remote Access Trojan), which they used to spy on the victims.
“Both campaigns were distributed via Facebook, using malware that was built with commercial, automated tools (888 RAT and SpyNote), with all samples of the malware using the same C&C servers,” said ESET.
The SpyNote Trojan, which was only discovered in 2019, is believed to be the primary payload of BladeHawk. It can execute arbitrary commands on a targeted device.
Once run on a target device and linked to the attacker’s command-and-control (C2) server, the commercial Trojan may execute a total of 42 commands. The main functions of the Trojan include taking screenshots and photos, exfiltrating files, recording audio and video calls, stealing GPS data, and monitoring phone calls. It can also intercept and steal SMS.
The researchers believe that the RAT may be part of a campaign that spreads a fake TikTok Pro app and a campaign by Kasablanca, threat actors monitored by Cisco Talos specializing in cyberespionage.
“The newly discovered Android 888 RAT has been used by the Kasablanka group and by BladeHawk. Both of them used alternative names to refer to the same Android RAT – LodaRAT and Gaza007 respectively,” said EST.