Last Updated on 22/11/2021 by TheDigitalHacker
Meta, the company that used to be known as Facebook, announced on Tuesday that it had taken action against four separate malicious cyber groups from Pakistan and Syria that had been found targeting people in Afghanistan, including journalists, humanitarian organisations, and anti-regime military forces.
SideCopy, a Pakistani threat actor, is believed to have utilised the platform to target Afghan government, military, and law enforcement officials in Kabul.
Between April and August of 2021, the campaign, which Meta described as a “well-resourced and persistent operation,” involved sending malicious links to websites hosting malware, often shortened using URL shortener services, with the operators posing as young women and luring the recipients with romantic lures in order to get them to click on phishing links or download trojanized chat applications.
These apps, according to Meta’s threat intelligence analysts, are a front for two different malware strains: a remote access trojan known as PJobRAT, which was previously discovered targeting Indian military forces, and a previously undocumented implant known as Mayhem, which can retrieve contact lists, text messages, call logs, location information, media files, device metadata, and even scrape content from the device’s screen by abusing accessibility services.
SideCopy used a variety of unscrupulous approaches, including hosting rogue app stores and infecting legal websites to host harmful phishing pages aimed to trick individuals into giving over personal information.
Syrian Electronic Army, aka APT-C-27, used phishing links to deliver a mix of commercially available and custom malware such as njRAT and HmzaRat that are engineered to harvest sensitive user information to humanitarian organisations, journalists and activists in Southern Syria, government critics, and individuals associated with the anti-regime Free Syrian Army.
APT-C-37 used a commodity backdoor known as SandroRAT and an in-house developed malware family known as SSLove to target people linked to the Free Syrian Army and military personnel affiliated with opposition forces via social engineering schemes that duped victims into visiting websites posing as Telegra.
APT-C-37 used a commodity backdoor known as SandroRAT and an in-house developed malware family known as SSLove to target people linked to the Free Syrian Army and military personnel affiliated with opposition forces via social engineering schemes that duped victims into visiting websites posing as Telegra.
