Meta took down the accounts linked to these attacks, blocked their domain infrastructure from being shared on its social media services and notified targeted victims. Meta said it also has notified Apple about attackers leveraging TestFlight, but does not have further insight into any subsequent steps that Apple took after it was notified. Apple did not respond to a request for comment.
The company found Bitter APT also using a variety of other tactics to target victims with malware, leveraging a mix of link-shortening services, compromised websites and third-party hosting providers. In one case, researchers found the APT using a new custom Android malware family, which they called Dracarys. In a technique similar to many other Android malware families, Dracarys abused Android operating system accessibility services – a legitimate feature that grants apps certain permissions in order to help users with disabilities – in order to access sensitive data like text messages.
“Bitter injected Dracarys into trojanized (non-official) versions of YouTube, Signal, Telegram, WhatsApp, and custom chat applications capable of accessing call logs, contacts, files, text messages, geolocation, device information, taking photos, enabling microphone, and installing apps,” according to Meta. “While the malware functionality is fairly standard, as of this writing, malware and its supporting infrastructure has not been detected by existing public anti-virus systems.”
Meta also uncovered a campaign by the Pakistan-linked APT36 targeting military personnel, government officials and human rights organization employees in Afghanistan, India, Pakistan, UAE and Saudi Arabia. The attackers posed as recruiters for both legitimate and fake companies as well as military personnel in order to target victims, and shared malicious links to attacker-controlled sites where they hosted malware. In several cases the malware used was XploitSPY, a commodity Android malware available on GitHub. Researchers said APT36’s campaign points to a broader trend of espionage groups using low-cost, off-the-shelf malicious tooling, rather than investing in developing their own tooling.
“This is notable for two reasons,” Nathaniel Gleicher, head of Security Policy with Meta said on a Thursday press call. “First, it democratizes access to these tools. More bad actors can use them, more bad actors will engage in cyber espionage, the barrier to entry is lower. Second, because these tools are commoditized – there are many, many off-the-shelf malware systems that someone can leverage – it means sophisticated threat actors can hide in the noise, making it harder to tell who is doing what and why.”
Both campaigns were uncovered as part of Meta’s efforts to remove malicious and inauthentic behavior from its platforms, with the company regularly cracking down on disinformation and cyber espionage operations, such as malicious activity by two Iranian threat groups that was disclosed in April.