New Delhi: Meta (formerly Facebook) cracked down on a cyber-espionage operation linked to state-sponsored bad actors in Pakistan that targeted people in India, including military and government officials, using various methods, such as trapping honey and infiltrating their devices with malware. Aside from India, the group of hackers in Pakistan — known in the security industry as APT36 — targeted people in Afghanistan, Pakistan, the UAE and Saudi Arabia, according to Meta’s quarterly Adversarial Threat Report. Also Read – After Sri Lanka, Economic Crisis Threatens in Pakistan? Finance Minister warns of ‘bad days ahead’
“Our investigation linked this activity to state-affiliated actors in Pakistan,” Meta said. Also Read – CWG 2022: India beats Barbados by 100 runs in T20I women’s group stage match, qualifies for semi-finals
The group’s activity has been persistent, targeting many services on the Internet – from email providers to file hosting services to social media. Also Read – The Race For Monkeypox Vaccine: When Will It Be Available?
“APT36 used various malicious tactics to target people online with social engineering to infect their devices with malware. They used a mix of malicious and disguised links and fake apps to spread their malware targeting Android and Windows devices,” the social network warned.
APT36 used fictitious personas — masquerading as recruiters for both legit and fake companies, military personnel or attractive young women seeking a romantic connection — in an effort to build trust with the people they targeted.
The group used a wide variety of tactics, including using custom infrastructure, to deliver their malware.
“Some of these domains pretended to be photo-sharing websites or generic app stores, while others spoof the domains of real companies, such as the Google Play Store, Microsoft’s OneDrive, and Google Drive,” the Meta report said.
In addition, this group used common file-sharing services, such as WeTransfer, to host malware for a short period of time.
The Pakistan-based actors also used link-shortening services to hide malicious URLs.
They used social maps and preview sites — online tools used in marketing to customize which image appears when a particular URL is shared on social media — to mask redirection and ownership of domains controlled by APT36.
“APT36 did not share malware directly on our platforms, but rather used the tactics of sharing malicious links to sites they monitored and where they host malware,” says Meta.
In several cases, this group used a modified version of Android malware known as “XploitSPY” available on Github.
While ‘XploitSPY’ appears to have originally been developed by a group of self-reported ethical hackers in India, APT36 has made changes to it to produce a new malware variant called ‘LazaSpy’.
Meta found that in this recent operation, APT36 also trojanized (unofficial) versions of WhatsApp, WeChat, and YouTube with another standard malware family known as Mobzsar or CapraSpy.
“Both families of malware have access to call logs, contacts, files, text messages, geolocation, device information, photos and enabling a microphone,” the report said.
Meta also removed a brigade network in India, a mass reporting network in Indonesia and coordinated offending networks in Greece, India and South Africa.
Brigading is a technique where groups of people work together to harass people on Meta platforms in an attempt to intimidate and silence them.