Social media giant Facebook today announced that it took action against two groups of hackers originating from Palestine that abused its infrastructure for malware distribution and account compromise across the Internet.
One of the dismantled networks was linked to the Preventive Security Service (PSS), one of the several intelligence services of Palestine, while the other was associated with Arid Viper, an established threat actor in the Gaza region.
The two clusters of activity, Facebook says, were not connected to one another, as one was focused on domestic audiences, while the other primarily targeted Palestinian territories and Syria, but also hit Turkey, Iraq, Lebanon and Libya.
As part of the shutdown operation, Facebook took down accounts, blocked domains, sent alerts to people who were targeted, and released malware hashes to the public.
“The groups behind these operations are persistent adversaries, and we know they will evolve their tactics in response to our enforcement,” Facebook says.
The PSS-linked activity originated in the West Bank and focused on targets outside Palestine, employing social engineering to lure individuals into clicking on malicious links and getting infected with malware.
Targets included journalists, opponents of the Fatah-led government, human rights activists, the Syrian opposition, Iraqi military, and other military groups.
An in-house built Android malware family associated with the operation masqueraded as a chat application and collected device metadata, call logs, text messages, contacts, and location, and only rarely exhibited keylogging capabilities. All data was sent to mobile app development platform Firebase.
The group also employed the publicly available Android malware family SpyNote, offers remote access to devices, and deployed publicly available Windows malware, such as NJRat and HWorm. Fake and compromised accounts were used to build trust in targeted individuals.
Also referred to as Desert Falcons, and DHS, Arid Viper has been active for more than half a decade and is likely closely connected to the Molerats APT. The newly observed activity, Facebook says, targeted government officials in Palestine, members of the Fatah party, students, and security forces.
The threat actor employed a large infrastructure of more than one hundred websites that hosted iOS and Android malware, were designed for phishing, or functioned as command and control (C&C) servers.
“They appear to operate across multiple internet services, using a combination of social engineering, phishing websites and continually evolving Windows and Android malware in targeted cyber espionage campaigns,” Facebook says.
As part of the observed activity, the adversary used custom-built iOS surveillanceware dubbed Phenakite and tricked users into installing a mobile configuration profile for the malware to be effective. The malware was packed inside a Trojanized, fully-functional chat application and could direct victims to phishing pages for Facebook and iCloud.
While the app could be installed without jailbreak, the malware did require one to elevate privileges and access sensitive user information. The publicly available Osiris jailbreak tool was used for this purpose.
Arid Viper also employed Android malware that resembled FrozenCell and VAMP and which required installation of apps from third-party sources. Variants of the Micropsia malware family were also used.
The distribution of malware relied on social engineering, with 41 attacker-controlled phishing sites used to distribute the Android malware, and a 3rd party Chinese app development site employed for the delivery of iOS malware.
Facebook says that, for roughly two years, it has been in contact with industry partners to share information about the discovered activity and proceed with the identification and blocking of the threat actors.Infosec Island