A mobile espionage campaign, dubbed BladeHawk, has been discovered targeting the Kurdish ethnic group. As per the report, the campaign is directly linked to two publicly disclosed incidents from 2020.
What has happened?
According to ESET researchers, the recent Android-based campaign attacks linked to the BladeHawk group have been ongoing since March 2020 and spreading via fake Facebook profiles.
Six Facebook profiles were found spreading malicious spying apps 888 RAT and SpyNote.
Two profiles were targeting tech users and the other four were portrayed as Kurd supporters. All profiles have been taken down now.
All of the profiles were created last year and were posting Android RATs disguised as genuine apps, except for one profile.
In addition, these profiles were sharing espionage apps to public groups on Facebook, supporting the former President of the Kurdistan Region. Collectively, the groups had over 11,000 followers.
Researchers spotted 28 unique posts in the campaign and each of the posts included fake app info and links to download an app. These links pointed to around 17 unique APKs. Between July 20, 2020, and June 28, 2021, the apps were downloaded 1,481 times.
Researchers noted that 888 RAT and SpyNote were built using SpyNote Builder. Out of these two, they provided additional analysis of the Android 888 RAT.
The Android 888 RAT
The 888 RAT has been, for the first time, associated with an organized campaign by a threat group.
It is a multiplatform RAT that appears to be the main payload of BladeHawk at present.
It has the phishing functionality to steal Facebook credentials. Only after a long press on this app’s icon, its true name is disclosed to the user.
Researchers have been finally been able to link the RAT with two more organized campaigns - Spy TikTok Pro and another campaign launched by the Kasablanka Group.
The use of social media platforms, such as Facebook, as infection vectors is becoming more prominent. Therefore, experts recommend avoiding downloading apps from unknown sources and using anti-malware software to stay protected.