[TheRecord] Pakistani hackers operated a fake app store to target former Afghan officials

A group of Pakistani hackers has created and operated a fake Android app store in order to target and infect individuals connected to the former Afghanistan government prior to and during its fall to the new Taliban regime.

The hacking campaign took place between April and August this year and was carried out by a group known as SideCopy, Facebook’s security team said in a report published today.

Facebook security researchers said SideCopy operators created fake profiles on its platform, typically posing as young women, and approached targets with the goal of getting them to click on malicious links.

These links redirected victims to phishing sites that collected login credentials or, in some cases, to fake app stores hosting malware-infected Android apps.

Image: The Record

Facebook said SideCopy typically used malicious apps that posed as chat messaging apps. They either mimicked known brands such as Viber and Signal or posed as new chat apps altogether.

“Among them were apps named HappyChat, HangOn, ChatOut, TrendBanter, SmartSnap, and TeleChat — some of which were in fact functioning chat applications,” said Mike Dvilyanski, Head of Cyber Espionage Investigations, and David Agranovich, Director, Threat Disruption.

These Android apps included remote access trojans. Some apps contained a strain called PJobRAT, while others contained a previously unreported Android malware strain Facebook named Mayhem.

The two malware strains allowed SideCopy operators full control over the infected devices, the social network’s security team explained.

Facebook also disrupts three hacking groups in Syria

In addition, Facebook said it also disrupted in October three additional hacking groups that were operating in Syria.

With links to the Syrian government, these groups primarily targeted individuals and activists opposing the Assad regime:

Syrian Electronic Army – targeted human rights activists, journalists and other groups opposing the ruling regime.APT-C-37 – targeted people linked to the Free Syrian Army and former military personnel who had since joined the opposition forcesUnnamed group – targeted minority groups, activists, opposition, Kurdish journalists, activists, members of the People’s Protection Units (YPG), and Syria Civil Defense or White Helmets, a volunteer-based humanitarian organization.

Facebook formally linked the activities of the first two groups to two separate units inside Syria’s Air Force Intelligence Directorate, the country’s most important intelligence service.

This marks the second time that Facebook has formally attributed and linked a hacking group operating on its platform to a real-world entity.

The first time was in December 2020 when Facebook linked APT32, a hacking group spying on behalf of the Vietnamese government, to a local company named CyberOne Group.

To disrupt the activities of the Pakistani and Syrian hacking groups, Facebook said it disabled their accounts, blocked their domains from being posted on its sites, notified users that they were targeted, and shared information about the attacks with law enforcement and other security researchers.

Previously, Facebook also disrupted the operations of other state-sponsored hacking groups operating out of IranPalestine, and China.

The post Pakistani hackers operated a fake app store to target former Afghan officials appeared first on The Record by Recorded Future.

Source: Read More (The Record by Recorded Future)

You might be interested in …

Daily NCSC-FI news followup 2019-12-04

Iran Targets Mideast Oil with ZeroCleare Wiper Malware threatpost.com/iran-mideast-oil-zerocleare-wiper-malware/150814/ Likely the work of APT34, ZeroCleare is bent on destruction and disruption, rather than information-stealing.. see also securityintelligence.com/posts/new-destructive-wiper-zerocleare-targets-energy-sector-in-the-middle-east/. full whitepaper www.ibm.com/downloads/cas/OAJ4VZNJ Uutta valtionhallinnossa: Traficom organisoituu osaamisalueiksi ja vaikuttavuusverkostoiksi www.traficom.fi/fi/ajankohtaista/uutta-valtionhallinnossa-traficom-organisoituu-osaamisalueiksi-ja Liikenne- ja viestintävirasto Traficomin organisaatio uudistuu 1.1.2020 alkaen neljäksi osaamisalueeksi ja kahdeksi vaikuttavuusverkostoksi. Tavoitteena on mahdollistaa viraston […]

Read More

[ZDNet] Bugs in Chrome’s JavaScript engine can lead to powerful exploits. This project aims to stop them

All posts, ZDNet

Additional protections for one key part of Chrome could stop attacks faster. Source: Read More (Latest topics for ZDNet in Security)

Read More

[TheRecord] Mozi botnet gains the ability to tamper with its victims’ traffic

A new version of Mozi, a botnet that targets routers and IoT devices, is now capable of tampering with the web traffic of infected systems via techniques such as DNS spoofing and HTTP session hijacking, a capability that could be abused to redirect users to malicious sites. Spotted by the Microsoft security team, these new […]

Read More