Facebook Warns that Activities are Expected to Resume as APT Groups Adapt and Evolve Malware
Two Palestinian Advanced Persistent Threat (APT) groups have been launching cyber espionage campaigns using Android and Windows malware, targeting journalists, human rights activists, and military groups throughout the Middle East. Countries targeted include Palestine, Syria, Turkey, Iraq, Lebanon, and Libya.
Preventive Security Service
This group is linked to Palestinian President Mahmoud Abbas and his own intelligence services. Using fake Facebook accounts, the APT group’s tactic was to build trust with journalists and activists through social engineering in order to convince them to install malicious software. The malware was disguised as secure chat applications that, when downloaded and installed, would collect the then infected device’s metadata, call logs, location, contacts, and text messages. The targeted pages are reported to have posted political memes, criticizing Russia’s involvement in Syria and Libya.
The data stolen through these campaigns was then uploaded to the mobile app development platform, Firebase.
Other malware implicated in these campaigns include SpyNote Android malware, which is used for remote access and call monitoring, and NJRat and HWorm Windows malware.
Also called DesertFalcon or APT-C-23, AridViper is the other APT group disrupted by Facebook’s threat intelligence analysts. First reported for cyber espionage in 2015, the group used more than 100 websites hosting iOS and Android malware to steal credentials from targets.
An alarming discovery was a new custom-built iOS malware, going by the name of Phenakite. Using Osiris jailbreak and Sock Port exploit post-installation, Phenakite is able to retrieve sensitive user information which is otherwise not accessible.
AridViper’s method of proliferation was through Facebook login page look-alike phishing sites.
In response to the discovery of these malicious campaigns, Facebook has cancelled all Facebook accounts associated with these hacking networks and notified other tech companies of these activities to prevent spread of the malware.
Despite these efforts, Facebook warns that the groups will likely resume activities once they find another way into the platform.