A year-long mobile espionage campaign has been targeted against the Kurdish ethnic group to deploy two Android backdoors that masquerade as legitimate apps.
According to the researchers from ESET, the attack wave was conducted by the BladeHawk hacking group.
The campaign which is believed to have been active since at least March last year, is abusing Facebook and social media platform in order to distribute fake mobile apps.
The researchers have identified six Facebook profiles connected to BladeHawk, all of which have now been taken down.
These profiles when they were active, posed as individuals in the technology space and as Kurd supporters in order to share links to the group’s malicious apps.
The apps were hosted on third-party websites, rather than Google Play and was downloaded 1,481 times.
BladeHawk’s fake applications were promoted as news services for the Kurdish community. However, they are harboring 888 RAT and SpyNote, two Android-based Remote Access Trojans (RATs) which enable the attackers to spy on their victims.
SpyNote was found only in one sample, and it appears like 888 RAT is currently BladeHawk’s main payload. The commercial Trojan, of which a cracked and free version has been made available online since 2019, is able to execute a total of 42 commands once executed on a target device and a connection to the attacker’s command-and-control (C2) server is established.
The main functions of the Trojan include taking screenshots and photos; exfiltrating files and sending them to a C2; deleting content, recording audio and monitoring phone calls; intercepting and either stealing or sending SMS messages; scanning contact lists; stealing GPS location data; and the exfiltration of credentials from Facebook, among other functions.
According to the researchers, the RAT may also be linked to two other campaigns – one that involved spyware disguised as TikTok and an information-gathering operation undertaken by the Kasablanca Group.