BladeHawk group: Android espionage against Kurdish ethnic group
ESET researchers have investigated a focused cell espionage marketing campaign in opposition to the Kurdish ethnic group, and that has been lively since at the very least March 2020.
ESET researchers have investigated a focused cell espionage marketing campaign in opposition to the Kurdish ethnic group. This marketing campaign has been lively since at the very least March 2020, distributing (through devoted Fb profiles) two Android backdoors generally known as 888 RAT and SpyNote, disguised as legit apps. These profiles gave the impression to be offering Android information in Kurdish, and information for the Kurds’ supporters. Among the profiles intentionally unfold extra spying apps to Fb public teams with pro-Kurd content material. Knowledge from a obtain website signifies at the very least 1,481 downloads from URLs promoted in just some Fb posts.
The newly found Android 888 RAT has been utilized by the Kasablanka group and by BladeHawk. Each of them used various names to discuss with the identical Android RAT – LodaRAT and Gaza007 respectively.
BladeHawk Android espionage
The espionage exercise reported right here is straight related to 2 publicly disclosed instances printed in 2020. QiAnXin Risk Intelligence Middle named the group behind these assaults BladeHawk, which we’ve adopted. Each campaigns have been distributed through Fb, utilizing malware that was constructed with industrial, automated instruments (888 RAT and SpyNote), with all samples of the malware utilizing the identical C&C servers.
Distribution
We recognized six Fb profiles as a part of this BladeHawk marketing campaign, sharing these Android spying apps. We reported these profiles to Fb they usually have all been taken down. Two of the profiles have been aimed toward tech customers whereas the opposite 4 posed as Kurd supporters. All these profiles have been created in 2020 and shortly after creation they began posting these faux apps. These accounts, aside from one, haven’t posted every other content material in addition to Android RATs masquerading as legit apps.
These profiles are additionally answerable for sharing espionage apps to Fb public teams, most of which have been supporters of Masoud Barzani, former President of the Kurdistan Area; an instance may be seen in Determine 1. Altogether, the focused teams have over 11,000 followers.
Determine 1. One of many Fb posts
In a single case, we noticed an try (Determine 2) to seize Snapchat credentials through a phishing web site (Determine 3).
Determine 2. Fb publish resulting in a Snapchat phishing website
Determine 3. Snapchat phishing web site
We recognized 28 distinctive posts as a part of this BladeHawk marketing campaign. Every of those posts contained faux app descriptions and hyperlinks to obtain an app, and we have been capable of obtain 17 distinctive APKs from these hyperlinks. Among the APK internet hyperlinks pointed on to the malicious app, whereas others pointed to the third-party add service top4top.io, which tracks the variety of file downloads (see Determine 4). Due to that, we obtained the whole variety of downloads from top4top.io for these eight apps. These eight apps have been downloaded altogether 1,481 occasions, from July 20, 2020 till June 28, 2021.
Determine 4. Details about one RAT pattern hosted on a third-party service
Samples
To our information, this marketing campaign focused solely Android customers, with the risk actors centered on two industrial Android RAT instruments – 888 RAT and SpyNote. We discovered just one pattern of the latter throughout our analysis. Because it was constructed utilizing an outdated, already analyzed SpyNote builder, right here we embrace solely the evaluation of the 888 RAT samples.
Android 888 RAT
This industrial, multiplatform RAT was initially solely printed for the Home windows ecosystem for $80. In June 2018, it was prolonged within the Professional model with the extra functionality to construct Android RATs ($150). Later, the Excessive model may create Linux payloads as effectively ($200).
It was offered through the developer’s web site at 888-tools[.]com (see Determine 5).
Determine 5. Worth for 888 RAT
In 2019 the Professional model (Home windows and Android) was discovered cracked (see Determine 6) and obtainable on just a few web sites free of charge.
Determine 6. Cracked model of 888 RAT builder
888 RAT has not been straight recognized with any organized campaigns earlier than; that is the primary time this RAT has been assigned as an indicator of a cyberespionage group.
Following this discovery, we have been capable of join the Android 888 RAT to 2 extra organized campaigns: Spy TikTok Professional described here and a marketing campaign by Kasablanka Group.
Performance
Android 888 RAT is able to executing 42 instructions acquired from its C&C server, as seen in Desk 1.
Briefly, it could actually steal and delete information from a tool, take screenshots, get system location, phish Fb credentials, get an inventory of put in apps, steal consumer photographs, take photographs, file surrounding audio and telephone calls, make calls, steal SMS messages, steal the system’s contact checklist, ship textual content messages, and so forth.
The builder can also be used because the C&C to manage all of the compromised units because it makes use of dynamic DNS to be reached by them.
Desk 1. Record of supported instructions
| Command | Performance |
|---|---|
| Unistxcr | Show app particulars of specified app |
| dowsizetr | Add file to server from /sdcard/DCIM/.dat/ |
| DOWdeletx | Delete file from /sdcard/DCIM/.dat/ |
| Xr7aou | Add binary file to server from /sdcard/DCIM/.dat/ |
| Caspylistx | Record information from /sdcard/DCIM/.dat/ |
| spxcheck | Verify whether or not name recording service is operating |
| S8p8y0 | Cease name recording service |
| Sxpxy1 | Allow name recording service |
| screXmex | Take screenshot and add to server |
| Batrxiops | Get battery degree |
| L4oclOCMAWS | Get system location |
| FdelSRRT | Delete file /sdcard/DCIM/.fdat (phished Fb credentials) |
| chkstzeaw | Verify whether or not Fb app is put in |
| IODBSSUEEZ | Add Fb credentials to C&C from /sdcard/DCIM/.fdat |
| GUIFXB | Launch Fb phishing exercise |
| osEEs | Get requested permissions of the desired utility |
| LUNAPXER | Launch particular utility |
| Gapxplister | Get checklist of purposes put in on the system |
| DOTRall8xxe | Compress information in /sdcard/DCIM/.dat/ listing and add them to C&C |
| Acouxacour | Get all system accounts |
| Fimxmiisx | Take picture from digicam and add it to C&C |
| Scxreexcv4 | Get details about system cameras |
| micmokmi8x | File surrounding audio for the desired time |
| DTXXTEGE3 | Delete particular file from /sdcard listing |
| ODDSEe | Open particular URL in default browser |
| Yufsssp | Get Exif data from particular media file |
| getsssspo | Get information about whether or not a particular file exists on system |
| DXCXIXM | Get names of all photographs saved in /sdcard/DCIM/ |
| f5iledowqqww | Add particular file from /sdcard/ listing |
| GExCaalsss7 | Get name logs from system |
| SDgex8se | Record information from particular listing from /sdcard |
| PHOCAs7 | Make name to specified quantity |
| Gxextsxms | Get SMS inbox |
| Msppossag | Ship SMS message to specified quantity |
| Getconstactx | Get contacts |
| Rinxgosa | Play ringtone for six seconds |
| Shetermix | Execute shell command |
| bithsssp64 | Execute shell script |
| Deldatall8 | Cleanup, take away all /sdcard/DCIM/.dat information |
| pvvvoze | Get IP handle |
| paltexw | Get TTL from PING command |
| M0xSSw9 | Show particular Toast message to consumer |
An essential issue when figuring out 888 RAT is the bundle identify of the payload. The bundle identify of each construct of an Android payload is just not customized or random; it at all times makes use of the com.instance.dat.a8andoserverx bundle ID. Due to this, it’s straightforward to determine such samples as 888 RAT.
In later variations of the 888 RAT (not the cracked RAT builder), we observed that the builder was able to obfuscating strings (command strings, C&C, and different plain textual content strings) by encrypting them utilizing AES with a hardcoded key; nevertheless, the bundle identify nonetheless remained the identical.
C&C
888 RAT makes use of a customized IP protocol and port (it doesn’t must be normal ports). Compromised units are managed straight from the builder GUI.
Fb phishing
When this performance is triggered, 888 RAT will deploy phishing exercise that seems to be coming from the legit Fb app. When the consumer faucets on the current apps button, this exercise will appear legit, as seen in Determine 7. Nevertheless, after a protracted press on this app’s icon, as in Determine 8, the true app identify answerable for the Fb login request is disclosed.
Determine 7. Phishing request seen from the current app menu
Determine 8. Actual utility identify answerable for phishing
Detection
Since 2018, ESET merchandise have recognized a whole bunch of situations of Android units the place the 888 RAT was deployed. Determine 9 presents the nation distribution of this detection information.
Determine 9. Detection of Android 888 RAT by nation
Conclusion
This espionage marketing campaign has been lively since March 2020 aiming solely at Android units. It focused the Kurdish ethnic group by at the very least 28 malicious Fb posts that may lead potential victims to obtain Android 888 RAT or SpyNote. Many of the malicious Fb posts led to downloads of the industrial, multiplatform 888 RAT, which has been obtainable on the black market since 2018. In 2019, a cracked copy of the Professional model of the 888 RAT builder was made obtainable from just a few web sites, and since then, we detected a whole bunch of instances all all over the world utilizing the Android 888 RAT.
IoCs
Information and ESET detection names
| SHA-1 | Detection identify |
|---|---|
| 87D44633F99A94C9B5F29F3FE75D04B2AB2508BA | Android/Spy.Agent.APU |
| E47AB984C0EC7872B458AAD803BE637F3EE6F3CA | Android/Spy.Agent.APG |
| 9A8E5BAD246FC7B3D844BB434E8F697BE4A7A703 | Android/Spy.Agent.APU |
| FED42AB6665649787C6D6164A6787B13513B4A41 | Android/Spy.Agent.APU |
| 8E2636F690CF67F44684887EB473A38398234430 | Android/Spy.Agent.APU |
| F0751F2715BEA20A6D5CD7E9792DBA0FA45394A5 | Android/Spy.Agent.APU |
| 60280E2F6B940D5CBDC3D538E2B83751DB082F46 | Android/Spy.Agent.APU |
| F26ADA23739366B9EBBF08BABD5000023921465C | Android/Spy.Agent.APU |
| 4EBEED1CFAC3FE5A290FA5BF37E6C6072A6869A7 | Android/Spy.Agent.APU |
| A15F67430000E3F6B88CD965A01239066C0D23B3 | Android/Spy.Agent.BII |
| 425AC620A0BB584D59303A62067CC6663C76A65D | Android/Spy.Agent.APU |
| 4159E3A4BD99067A5F8025FC59473AC53E07B213 | Android/Spy.Agent.APU |
| EF9D9BF1876270393615A21AB3917FCBE91BFC60 | Android/Spy.Agent.APU |
| 231296E505BC40FFE7D308D528A3664BFFF069E4 | Android/Spy.Agent.APU |
| 906AD75A05E4581A6D0E3984AD0E6524C235A592 | Android/Spy.Agent.APU |
| 43F36C86BBD370884E77DFD496FD918A2D9E023D | Android/Spy.Agent.APU |
| 8B03CE129F6B1A913B6B143BB883FC79C2DF1904 | Android/Spy.Agent.APU |
Fb profiles
https://www.fb[.]com/android4kurd.official/
https://www.fb[.]com/tech.info00
https://www.fb[.]com/hewr.dliwar
https://www.fb[.]com/husain.techno
https://www.fb[.]com/zaid.abd.3785
https://www.fb[.]com/profile.php?id=100039915424311
Fb teams
https://www.fb[.]com/teams/478454429578545/
https://www.fb[.]com/teams/275108075847240/
https://www.fb[.]com/teams/751242802375989/
https://www.fb[.]com/teams/238330163213092/
Distribution hyperlinks
https://apkup[.]xyz/M.Muhammad.Mala.Fayaq_v0.0.6.apk
https://apkup[.]xyz/5G.VPN.Speed_v1.3.4.apk
https://apkup[.]xyz/Ftwa.Islam.Online_v1.0.1.apk
https://apkup[.]xyz/Al-Hashd_V1.0.3.apk
https://apkup[.]xyz/KitabAltawhid_v1.0.4.apk
https://apkup[.]xyz/KDP._V1.2.0.apk
https://apkup[.]xyz/Dosyay16October_V1.2.0.apk
https://apkup[.]xyz/MobileNumberFinder__v1.3.apk
https://f.top4top[.]io/f_LusheAYOtmjzehyF8seQcA/1613135449/1662yvch41.apk
https://a.top4top[.]io/f_Jlno8C2DLeaq71Fq1JV6hg/1613565568/1837ppxen1.apk
https://b.top4top[.]io/f_yTmhbte0yVNbhQbKyh12og/1613135036/1665tzq3x1.apk
https://j.top4top[.]io/f_FQCcQa5qAWHzK_0NdcGWyg/1613134993/16874mc5b1.apk
https://l.top4top[.]io/f_MHfW2u_xnKoXdhjPknEx5Q/1613134914/1703t5b2z1.apk
https://b.top4top[.]io/f_cbXNkHR0T0ZOsTecrGM6iA/1613134863/1703lttbn1.apk
https://okay.top4top[.]io/f_bznLRhgqMpAmWXYp1LLrNQ/1613134409/1690q040d1.apk
https://d.top4top[.]io/f_t7G4JjYm7_kzTsa0XYis6Q/1613134182/1749lglct1.apk
https://up4net[.]com/uploads/up4net-Xwakurk-1-0-4.apk
Phishing hyperlinks
https://apkup[.]xyz/snapchat/login.html
MITRE ATT&CK methods
This desk solely covers TTPs for 888 RAT, and was constructed utilizing version 9 of the ATT&CK framework.
| Tactic | ID | Identify | Description |
|---|---|---|---|
| Preliminary Entry | T1444 | Masquerade as Legit Software | The 888 RAT impersonates legit purposes. |
| Persistence | T1402 | Broadcast Receivers | The 888 RAT listens for the BOOT_COMPLETED broadcast, guaranteeing that the app’s performance might be activated each time the system begins. |
| Protection Evasion | T1508 | Suppress Software Icon | The 888 RAT hides its icon. |
| T1447 | Delete Gadget Knowledge | The 888 RAT can delete gathered and short-term saved information and every other particular file. | |
| Credential Entry | T1411 | Enter Immediate | The 888 RAT tries to phish Fb credentials. |
| Discovery | T1418 | Software Discovery | The 888 RAT obtains an inventory of put in apps. |
| T1420 | File and Listing Discovery | The 888 RAT identifies content material of particular directories. | |
| Assortment | T1433 | Entry Name Log | The 888 RAT exfiltrates name log historical past. |
| T1430 | Location Monitoring | The 888 RAT retrieves system location. | |
| T1432 | Entry Contact Record | The 888 RAT exfiltrates the sufferer’s contact checklist. | |
| T1429 | Seize Audio | The 888 RAT can file audio from environment and calls. | |
| T1512 | Seize Digicam | The 888 RAT can take photos from the entrance or rear cameras. | |
| T1412 | Seize SMS Messages | The 888 RAT can exfiltrate despatched and acquired SMS messages. | |
| T1533 | Knowledge from Native System | The 888 RAT exfiltrates information with specific extensions from exterior media. | |
| T1513 | Display screen Seize | The 888 RAT can take screenshots. | |
| Command And Management | T1509 | Uncommonly Used Port | The 888 RAT communicates with its C&C over port 4000. |
| Affect | T1582 | SMS Management | The 888 RAT adversary can ship SMS messages. |
| T1447 | Delete Gadget Knowledge | The 888 RAT can delete attacker-specified information from the system. |
