Meta:Bitter APT Espionage Attack exploited Apple’s TestFlight service
Meta has removed accounts linked to these attacks, blocked their domain infrastructure from being shared on its social media services, and notified the targeted victims. Meta said he also notified Apple of the attackers using TestFlight, but had no further information on what further steps Apple took after being notified. Apple did not respond to a request for comment.
The company discovered that Bitter APT also used various other tactics to target victims with malware, exploiting a combination of link-shortening services, compromised websites, and third-party hosting providers. In one case, researchers discovered that the APT was using a new family of custom Android malware, which they called Dracarys. In a technique similar to many other Android malware families, Dracarys abused the Android operating system’s Accessibility Services – a legitimate feature that grants apps certain permissions to help users with disabilities – in order to access to sensitive data such as text messages.
“Bitter injected Dracarys into (unofficial) trojanized versions of YouTube, Signal, Telegram, WhatsApp and custom chat apps capable of accessing call logs, contacts, files, SMS, geolocation , device information, taking pictures, activating the microphone, and installing apps,” according to Meta. “Although malware functionality is fairly standard, at the time of this writing, the malware and its supporting infrastructure have not been detected by existing public anti-virus systems.”
Meta also discovered an APT36 campaign, linked to Pakistan, targeting military personnel, government officials and employees of human rights organizations in Afghanistan, India, Pakistan, United Arab Emirates and Saudi Arabia. saudi. The attackers posed as recruiters for legitimate and fake companies as well as military personnel to target victims, and shared malicious links to sites controlled by the attackers where they hosted malware. In several cases, the malware used was XploitSPY, a basic Android malware available on GitHub. The researchers said APT36’s campaign indicates a broader trend for espionage groups to use low-cost off-the-shelf malicious tools, rather than investing in developing their own.
“This is noteworthy for two reasons,” said Nathaniel Gleicher, head of security policy at Meta, during a press call Thursday. “First, it democratizes access to these tools. The more bad actors can use them, the more bad actors will engage in cyber espionage, the lower the barrier to entry. Second, because these tools are commoditized – there are many, many off-the-shelf malicious systems that someone can exploit – it means that sophisticated threat actors can hide in the noise, making it harder to know who does what and why.
Both campaigns were discovered as part of Meta’s efforts to remove malicious and inauthentic behavior from its platforms, with the company routinely cracking down on disinformation and cyber espionage operations, such as the malicious activities of two Iranian threat groups that have was disclosed in April.