Meta (Facebook) has released its Q2 2022 adversarial threat report, and among the highlights is the discovery of two cyber-espionage clusters connected to hacker groups known as ‘Bitter APT’ and APT36 (aka ‘Transparent Tribe’) using new Android malware.
These cyberspying operatives use social media platforms like Facebook to collect intelligence (OSINT) or to befriend victims using fake personas and then drag them to external platforms to download malware.
Both APT36 and Bitter APT were observed orchestrating cyber-espionage campaigns earlier this year, so Facebook’s report gives a new dimension to their recent activities.
The Pakistan-aligned state-sponsored actor APT36 was recently exposed in a campaign targeting the Indian government using MFA-bypassing tools.
The Bitter APT was also observed in May 2022, targeting the government of Bangladesh with a new malware that featured remote file execution capabilities.
Bitter APT using new Android spyware
Meta’s report explains that Bitter APT engaged in social engineering against targets in New Zealand, India, Pakistan, and the United Kingdom, using lengthy interactions and investing significant time and effort.
The group’s goal was to infect its targets with malware, and for this purpose, it used a combination of URL shortening services, compromised sites, and third-party file hosting providers.
“This group has aggressively responded to our detection and blocking of its activity and domain infrastructure,” comments Meta in the report.
“For example, Bitter would attempt to post broken links or images of malicious links so that people would have to type them into their browser rather than click on them — all in an attempt to unsuccessfully evade enforcement.”
Bitter’s recent attacks also revealed additions in the threat actor’s arsenal in the form of two mobile apps, targeting iOS and Android users, respectively.
The iOS version was a chat app delivered via Apple’s Testflight service, a testing space for app developers. Typically, threat actors convince victims to download these chat apps by presenting them as “safer” or “more secure.”
The Android app discovered by Facebook is a new malware that Meta named ‘Dracarys,’ which abuses accessibility services to give itself increased permissions without the user’s consent.
From there, it would inject itself into various Android apps to act as spyware, stealing text messages, installing apps, and recording audio.
“Bitter injected Dracarys into trojanized (non-official) versions of YouTube, Signal, Telegram, WhatsApp, and custom chat applications capable of accessing call logs, contacts, files, text messages, geolocation, device information, taking photos, enabling microphone, and installing apps,” explained Meta’s report.
Meta underscores that Dracarys passes undetected on all existing anti-virus engines, highlighting Bitter’s capabilities to create stealthy custom malware.
APT36 relies on commodity tools
APT36 is a much less sophisticated threat actor, yet still, a potent threat that relies on intricate social engineering tactics and readily available malware.
The latest activity discovered by Meta targeted people in Afghanistan, India, Pakistan, the United Arab Emirates, and Saudi Arabia, focusing specifically on military officials and human rights activists.
Members of APT36 created accounts on Facebook posing as recruiters for spoofed or fictitious firms and used the WeTransfer file sharing service to send supposed job offers to their targets.
The downloaded files contained a modified version of XploitSPY, which Meta named ‘LazaSpy.’ The actor’s modifications include a failed implementation of a geo-restricted targeting mechanism.
Apart from LazaSpy, APT36 also employed Mobzsar, a commodity malware that enables operators to access call logs, contact lists, SMS, GPS data, photos, and the microphone.