BladeHawk Attackers Target Kurds with Android Apps

Pro-Kurd Facebook profiles deliver ‘888 RAT’ and ‘SpyNote’ trojans, masked as legitimate apps, to perform mobile espionage.

Attackers have been targeting the Kurdish ethic group for more than a year through an Facebook-based spyware campaign that disguises backdoors in legitimate Android apps, researchers have found.

A group called BladeHawk is behind the campaign, discovered by researchers from cybersecurity firm ESET and active since at least March 2020, according to a report published this week. The campaign disguises the 888 RAT in Android apps using dedicated Facebook profiles, researchers aid.

“These profiles appeared to be providing Android news in Kurdish, and news for the Kurds’ supporters,” ESET malware researcher Lukas Stefanko wrote in the report, published Wednesday. “Some of the profiles deliberately spread additional spying apps to Facebook public groups with pro-Kurd content.”

Infosec Insiders Newsletter

All in all, researchers identified six profiles as part of the BladeHawk campaign, which have been sharing the Android spying apps and targeted about 11,000 followers through 28 unique posts. The profiles have been reported to Facebook and since disabled, Stefanko said.

Each of these posts in the campaign contained fake app descriptions and links to download an app, according to the post. Researches downloaded 17 unique Android application packages (APKs) from these links, some of which pointed directly to the malicious apps.

“Two of the profiles were aimed at tech users, while the other four posed as Kurd supporters,” he wrote. “All these profiles were created in 2020 and shortly after creation they started posting these fake apps. These accounts, except for one, have not posted any other content besides Android RATs masquerading as legitimate apps.”

Other links pointed to the third-party upload service top4top.io, which tracks the number of file downloads. Data from that service shows that there have been at least 1,481 downloads of the malicious apps from URLs promoted in just a few Facebook posts between July 20, 2020 and June 28 of this year, researchers found.

Attackers also shared espionage apps to public Facebook groups, most of which support of Masoud Barzani, the former president of the Kurdistan Region, Stefanko said.

Payload Activity

The key payload of the campaign is the multiplatform 888 RAT, which previously was used in two other organized campaigns—one targeting TikTok users with TikTok Pro spyware and another by the Kasablanka group, according to ESET. In one instance, the campaign spread the SpyNote trojan, which is an older and well-known commercial spy tool that has a history of masquerading as legitimate apps, including Netflix.

888 RAT originally only was published for the Windows ecosystem and sold on the Dark Web for $80. In June 2018, a Pro version of the RAT costing $150 extended its capability for Android, while an Extreme version released later and sold for $200 could create Linux-based payloads as well.

The 888 RAT used in the BladeHawk campaign includes the ability to: Steal and delete files from a device; take screenshots; get device location; get a list of installed apps; steal user photos; take photos; record surrounding audio and phone calls; make calls; steal SMS messages; steal the device’s contact list; and send text messages.

The RAT also can phish Facebook credentials by deploying activity that appears to be coming from the legitimate Facebook app, Stefanko wrote.

“When the user taps on the recent apps button, this activity will seem legitimate,” he wrote. “However, after a long press on this app’s icon, as in Figure 8, the true app name responsible for the Facebook login request is disclosed.”

ESET has published a list of file names, Facebook profiles and groups, and distribution and phishing links associated with the BladeHawk campaign in the post.

It’s time to evolve threat hunting into a pursuit of adversaries. JOIN Threatpost and Cybersixgill for Threat Hunting to Catch Adversaries, Not Just Stop Attacks and get a guided tour of the dark web and learn how to track threat actors before their next attack. REGISTER NOW for the LIVE discussion on Sept. 22 at 2 p.m. EST with Cybersixgill’s Sumukh Tendulkar and Edan Cohen, along with independent researcher and vCISO Chris Roberts and Threatpost host Becky Bracken.

 

Suggested articles