Mobile espionage campaign against the Kurdish ethnic group revealed

The distribution of two mobile backdoors was active since March 2020

Mobile espionage campaign revealedKurdish ethnic group targetted for a year and a half already.

888 RAT and SpyNote malware disguised as legitimate applications were distributed to Kurdish ethnic group members via Facebook profiles. On September 7th researchers and experts of cybersecurity revealed a year-long mobile espionage campaign against the Kurdish ethnic group.[1]

Experts believe that attackers were active since March 2020, maybe even longer and the attacks leveraged as many as six dedicated Facebook profiles that claimed to provide news. Few of the profiles were aimed at Android users while the other four shared pro-Kurd content, only to share spying apps on Facebook public groups.

It is now reported that all of those six profiles have since been taken down. ESET's researchers state, that mobile spyware targeted the Kurdish ethnic group through at least 28 malicious Facebook posts. These posts would later lead to victims downloading Android 888 RAT or SpyNote malware.

It looks like multi-platform 888 RAT has been available on the black market since 2018.[2] The profiles shared espionage apps to Facebook public groups. Most of which were supporters of Masoud Barzani, former President of the Kurdistan Region. All targeted Facebook groups have more than 11,000 followers.[3]

Attacks planned by the group named BladeHawk

The 888 RAT is capable of executing 42 commands received from its command and control (C&C) server once it is added to the machine. It can steal and delete files from a device, take screenshots, get device location, phish Facebook credentials, get a list of installed apps steal user photos, and so on.

However, it is not the first instance of a similar problem. Few cases were publicly disclosed back in 2020. In one case, the QiAnXin Threat Intelligence Center named the group behind the attacks BladeHawk. Back then, campaigns too were distributed via Facebook, using malware that was built with commercial, automated tools.

Overall, ESET has identified more than 71 billion ransomware attacks on remote access between January 2020 and June 2021. Cybersecurity firm looks at the criminal art of malicious code, pressure, and manipulation, which examines how dangerous ransomware is.

In this year's report, ESET summed up that ransomware is currently one of the most potent cyberthreats to modern organizations and private internet users. It targets all industries, affects both the public and private sectors. ESETs goal to stay one step ahead of malicious actors offers actionable advice for administrators and provides insight into security.[4]

RAT creates a potential danger to privacy

A remote access Trojan or simply and more widely used as RAT is a malware program that includes a back door for administrative control over the target computer. RATs are usually downloaded invisibly with a user-requested program – such as a game – or sent as an email attachment.

Once the RAT reaches the host system, it becomes compromised quickly and the intruder may use it to distribute RATs to other vulnerable computers and establish a botnet. With such malware threat actors could distribute viruses and other affect formatted drives, delete, download or alter files.[5]

RATs can be difficult to detect because they usually don't show up in lists of running programs. In order to protect your system from RATs, keep antivirus software up to date and refrain from downloading programs or opening attachments that aren't from a trusted source.

About the author
Ugnius Kiguolis
Ugnius Kiguolis - The mastermind

Ugnius Kiguolis is a professional malware analyst who is also the founder and the owner of 2-Spyware. At the moment, he takes over as Editor-in-chief.

Contact Ugnius Kiguolis
About the company Esolutions