SOCIAL MEDIA: Taking Action Against Hackers In Pakistan And Syria

dWeb.News Article from Daniel Webster dWeb.News

We took action against four distinct hackers from Pakistan, Syria and other countries.

The malicious activity of Pakistan targeted Afghans.

Three distinct hacking groups originated from Syria targeted people in Syria including journalists, humanitarian organizations, and anti-regime military units. These three hacking groups were linked to the Syrian government, which includes Syria’s Air Force Intelligence.

Today, we are sharing actions we’ve taken against four distinct groups of hackers in Pakistan and Syria over the past several months. We blocked their domains from being uploaded to our platform, disabled their accounts, and shared information with industry peers, security researchers, and law enforcement.

The group from Pakistan — known in the security industry as SideCopy — targeted people who were connected to the previous Afghan government, military, and law enforcement in Kabul. Three distinct hacker networks were removed from Syria by us. The first network in Syria — known as the Syrian Electronic Army — targeted human rights activists, journalists and other groups opposing the ruling regime. This activity was linked to Syria’s Air Force Intelligence. The second network from Syria — known in the security community as APT-C-37 — targeted people linked to the Free Syrian Army and former military personnel who had since joined the opposition forces. Our investigation linked this activity by APT-C-37 to what we believe is a separate unit in Syria’s Air Force Intelligence. The third network, which originated from Syria, targeted activists, Kurdish journalists and activists as well as members of the People’s Protection Units. It also targeted Syrian Civil Defense or White Helmets volunteers-based humanitarian organisation. This activity was linked to individuals who are associated with the Syrian government.

Meta’s threat intelligence analysts and security experts work to find and stop a wide range of threats including cyber espionage campaigns, influence operations and hacking of our platform by nation-state actors and other groups. Our teams regularly disrupt adversary operations by disabling them and notifying users if they should protect their accounts. We also share our findings publicly to continue to improve the security of our products.

Here are the details on each disruption:

1. Pakistan

In August, we removed a group of hackers from Pakistan, known in the security industry as SideCopy, that targeted people in Afghanistan, particularly those with links to the Afghan government, military and law enforcement in Kabul. Given the ongoing crisis and the government collapse at the time, we moved quickly to complete the investigation and take action to protect people on our platform, share our findings with industry peers, law enforcement and researchers, and alert those who we believe were targeted. In addition, we rolled out a number of security measures for people in Afghanistan to protect their Facebook accounts. This malicious activity displayed the characteristics of a persistent, well-resourced operation that conceals who is behind it. On our platform, this cyber espionage campaign ramped up between April and August of 2021 and manifested primarily in sharing links to malicious websites hosting malware.

We identified the following techniques, techniques, and procedures (TTPs), used by this threat actor throughout the internet, including our apps (threat indicators are found at the conclusion of the report).

This group created fictitious persons — usually young women — to create trust and trick potential targets into downloading malicious chat programs or clicking on phishing URLs.

They created fake app stores and compromised legitimate websites to host malicious Phishing pages in order to trick people into giving their Facebook credentials.

SideCopy attempted to trick people into installing trojanized chat apps (i.e.
SideCopy attempted to trick people into installing trojanized chat apps (i.e. There were apps called HappyChat and TeleChat. Some of these were actually functioning chat apps.
These apps typically included two malware families: PJobRAT and a previously unreported Android malware strain we are calling Mayhem. These families can retrieve contact information, call logs and location information. They also have the ability to access media files on the device, connected storage and general metadata. Accessibility services allow them to access the screen of the device and retrieve any content.
In August, 2021, the group shifted to using bit[.]ly URL shortener links to mask the final destination they were redirecting their targets to after they clicked on the malicious link.

2. Syria

In October, we took down a hacking group, known in the security community as the Syrian Electronic Army (SEA) or APT-C-27, that targeted people in Syria, including humanitarian organizations, journalists and activists in Southern Syria, critics of the government, and individuals associated with the anti-regime Free Syrian Army. This threat actor was found to have been incorporated into the Syrian government forces over recent years. The latest activity was linked to Syria’s Air Force Intelligence. This campaign was mainly focused on targeting individuals with social engineering techniques to trick them into downloading malware or clicking on links.

We identified the following TTPs that were used by the threat actor on the internet, including our apps (threat indicators are found at the conclusion of the report).

This group shared phishing URLs to direct people to phishing sites or malware websites. They used phishing to trick their victims into giving their Facebook credentials.
They used a combination of commercially available (e.g., HWorm/njRAT for Windows) and custom-built malware families (e.g., HmzaRat Desktop for Windows and SilverHawk aka HmzaRAT for Android). They used Android malware to install trojanized apps, such as the United Nations, VPN Secure, and many popular chat apps, like Telegram, all hosted on attacker-controlled sites.

This group also used Android malware that was created with the open-source mobile application development tool Xamarin. It is currently being detected only by one antivirus engine in public viruses repositories. This malware was found in trojanized Telegram versions and a Syrian news app. It is being distributed only through phishing websites on the Vercel cloud platform.

The malware families SEA relied upon were capable of collecting sensitive user information once the device was compromised. This includes the ability to record audio or video, edit or retrieve file, as well as the ability to send and receive text messages and call logs.

3. Syria

In October, we took down a hacking group, known in the security community as APT-C-37, that targeted people linked to the Free Syrian Army and former military personnel who had since joined the opposition forces. Our investigation linked this activity by APT-C-37 to what we believe is a separate unit in Syria’s Air Force Intelligence. This operation on our platform involved social engineering tactics to trick people into clicking on links to malicious websites hosting malware or credential phishing campaigns aimed at obtaining access to people’s Facebook accounts.

We identified the following TTPs used by this threat actor across the internet, including on our apps (threat indicators can be found at the end of the report):

APT-C-37 has continued to use commodity malware known as SandroRAT in addition to an Android malware family known as SSLove, likely developed in-house.

This group used social engineering to trick their victims into visiting malicious websites. While some sites were focused on Islam content, others used fake app stores or domains that looked like popular services such as Telegram, Facebook and YouTube to trick their victims into visiting attacker-controlled websites.

APT-C-37 relied on Android malware with common malicious functionality to retrieve sensitive user data, including call logs, contact information, device information, user accounts, take photos, and retrieve attacker specified files.

4. Syria

We took down a hacking group that targeted minority groups; activists; opposition in Southern Syria, including in Sweida, Huran, Qunaitra and Daraa; Kurdish journalists, activists in Northern Syria, including Kamishl, Kubbani, Manbij, and Al-Hasakah; members of the People’s Protection Units (YPG); and Syria Civil Defense (the White Helmets, a volunteer-based humanitarian organization). We found connections between this activity, and individuals associated to the Syrian government. This operation was primarily social engineering and the sharing of links to malicious websites.

We identified the following TTPs used by this threat actor across the internet, including on our apps (threat indicators can be found at the end of the report):

This group shared links to attacker-controlled websites hosting Android malware masquerading as apps and updates themed around the United Nations, White Helmets, YPG, Syrian satellite TV, COVID-19, WhatsApp and YouTube.
This group was not separately tracked by security experts due to its reliance on commercially-available malware. Although this has likely reduced their effectiveness due to existing anti-virus detection targeting these commodity tools, it may have allowed them to hide among the noise.

This group used SpyMax and SpyNote to spread Android malware.

Threat Indicators

1. Pakistan

Domains & C2s:

Domain
Description
androappstore[.]com
Hosting PJobRAT and Mayhem
www[.]apphububstore[.]in
Hosting PJobRAT
appsstore[.]in
Hosting PJobRAT
apkstore.filehubspot[.]com
Believed to be hosting PJobRAT
helloworld.bounceme[.]net
Command and control server for PJobRAT
dasvidaniya.ddns[.]net
Command and control server for PJobRAT
gemtool.sytes[.]net
Command and control server for PJobRAT
saahas.servecounterstrike[.]com
Command and control server for Mayhem

Hashes:

MD5
Description
Malware Family
7804aa608d73e7a9447ae177c31856fe
ViberLite v4
PJobRAT
a80a1b022fdcaa171e454086711dcf35
ViberLite v3
PJobRAT
a4f104e2058261c7dbfc1c69e1de8bce
ViberLite v2
PJobRAT
4ce92da8928a8d1d72289d126a9fe2f4
HangOn V4e
PJobRAT
a53c74fa923edce0fa5919d11f945bcc
HangOn v4
PJobRAT
9fd4b37cbaf0d44795319977118d439d
HangOn
PJobRAT
7bef7a2a6ba1b2aceb84ff3adb5db8b3
TrendBanter
PJobRAT
v21b4327d6881be1893fd2a8431317f6b
Happy Chat
Mayhem

2. SEA / APT-C-27

Domains & C2s:

Domain / IP
Description
faccebookaccunt[.]blogspot[.]com
Credential phishing
ruba-bakkour-facebook[.]blogspot[.]com
Credential phishing
chatsafe[.]tecnova.com[.]br
Distribution of SilverHawk in 2020
download-telegram.vercel[.]app
Used by SEA affiliated individuals to distribute a new unnamed Android family
download-revo.vercel[.]app
Used by SEA affiliated individuals to distribute a new unnamed Android family
82.137. 218[.]185
Command and control server. Useful for distributing custom and commodity Android malware.

Hashes:

MD5
Description
Malware Family
df196bd42e1da1d34c23c8d947561618
Fake version of Telegram
Unnamed
ccabc8f4868184a04b032b34d9303810
Trojanized Syrian News app
Unnamed

3. APT-C-37

Domains & C2s:

Domain / IP
Description
82.137. 255[.]0
Long running command and control server

Hashes:

MD5
Description
Malware Family
969fe5597a44bf4eb66ebdc7b09ef2c8
Fake version of WhatsApp
SSLove

4. Unnamed Cluster

Domains & C2s:

Domain / IP
Description
f-b[.]today
Hosting SpyMax
messengers[.]video
Hosting SpyMax
whatsapp-sy[.]com
Hosting SpyMax
horan-free[.]com
Believed to have been hosting SpyMax
druze[.]life
Believed to have been hosting SpyMax
suwayda-24[.]com
Believed to have been hosting SpyMax
t-me[.]link
Believed to have been hosting SpyMax
lamat-horan[.]com
Hosting unnamed Android malware
anti-corona[.]app
Believed to have been hosting SpyMax
what-sapp[.]site
Believed to have been hosting SpyMax
informnapalm[.]net
Hosting trojanized apps for the YPG, Syrian Civil Defense, and malware pretending to be an update for WhatsApp.
facebook-helps-center[.]com
Older infrastructure hosting SpyMax malware pretending to be a WhatsApp update.
46.4. 83[.]140
Command and control server
sputniknews[.]news
Believed to be attacker controlled
emmashop[.]app
Believed to be attacker controlled
face-book[.]xyz
Believed to be attacker controlled.

Hashes:

MD5
Description
Malware Family
762acdd53eb35cd48686b72811ba9f3c
Hosted on lamat-horan[.]com.
First seen in 2019.
0 detections on VT.
Unnamed
fcf357556c3af14bab820810f5e94436
Hosted on f-b[.]today.
Masquerading as a Syrian satellite TV app.
SpyMax
e8a528491b28e4d62a472da7396c7047
Hosted on f-b[.]today.
Masquerading as a YouTube update.
SpyMax
1c16ee8b2f0dff7280e1d97522ee7e3f
Hosted on informnapalm[.]net.
A Syria themed APK.
SpyNote
ce274c0bd0743695529a43d7992e2d2c
Hosted on informnapalm[.]net.
Masquerading as a WhatsApp update.
SpyMax
185062606b168f04b8b583045d300be5
Hosted on informnapalm[.]net.
Masquerading as an app for the YPG.
SpyMax
c2e55b0d7be1c1991a5b70be7280e528
Hosted on informnapalm[.]net.
Masquerading as an app for the Syrian Civil Defence.
SpyMax

For More dWeb.News Social Media News https://dweb.news/news-sections/social-media-news/

The post SOCIAL MEDIA: Taking Action Against Hackers In Pakistan And Syria appeared first on dWeb.News dWeb.News from Daniel Webster Publisher dWeb.News – dWeb Local Tech News and Business News

dWeb.NewsRead More

Similar Posts