ESET researchers have investigated a targeted mobile espionage campaign against the Kurdish ethnic group, and that has been active since at least March 2020.
ESET researchers have investigated a targeted mobile espionage campaign against the Kurdish ethnic group. This campaign has been active since at least March 2020, distributing (via dedicated Facebook profiles) two Android backdoors known as 888 RAT and SpyNote, disguised as legitimate apps. These profiles appeared to be providing Android news in Kurdish, and news for the Kurds’ supporters. Some of the profiles deliberately spread additional spying apps to Facebook public groups with pro-Kurd content. Data from a download site indicates at least 1,481 downloads from URLs promoted in just a few Facebook posts.
The newly discovered Android 888 RAT has been used by the Kasablanka group and by BladeHawk. Both of them used alternative names to refer to the same Android RAT – LodaRAT and Gaza007 respectively.
BladeHawk Android espionage
The espionage activity reported here is directly connected to two publicly disclosed cases published in 2020. QiAnXin Threat Intelligence Center named the group behind these attacks BladeHawk, which we have adopted. Both campaigns were distributed via Facebook, using malware that was built with commercial, automated tools (888 RAT and SpyNote), with all samples of the malware using the same C&C servers.
We identified six Facebook profiles as part of this BladeHawk campaign, sharing these Android spying apps. We reported these profiles to Facebook and they have all been taken down. Two of the profiles were aimed at tech users while the other four posed as Kurd supporters. All these profiles were created in 2020 and shortly after creation they started posting these fake apps. These accounts, except for one, have not posted any other content besides Android RATs masquerading as legitimate apps.
These profiles are also responsible for sharing espionage apps to Facebook public groups, most of which were supporters of Masoud Barzani, former President of the Kurdistan Region; an example can be seen in Figure 1. Altogether, the targeted groups have over 11,000 followers.
Figure 1. One of the Facebook posts
Figure 3. Snapchat phishing website
We identified 28 unique posts as part of this BladeHawk campaign. Each of these posts contained fake app descriptions and links to download an app, and we were able to download 17 unique APKs from these links. Some of the APK web links pointed directly to the malicious app, whereas others pointed to the third-party upload service top4top.io, which tracks the number of file downloads (see Figure 4). Because of that, we obtained the total number of downloads from top4top.io for those eight apps. These eight apps were downloaded altogether 1,481 times, from July 20, 2020 until June 28, 2021.
Figure 4. Information about one RAT sample hosted on a third-party service
To our knowledge, this campaign targeted only Android users, with the threat actors focused on two commercial Android RAT tools – 888 RAT and SpyNote. We found only one sample of the latter during our research. As it was built using an old, already analyzed SpyNote builder, here we include only the analysis of the 888 RAT samples.
Android 888 RAT
This commercial, multiplatform RAT was originally only published for the Windows ecosystem for $80. In June 2018, it was extended in the Pro version with the additional capability to build Android RATs ($150). Later, the Extreme version could create Linux payloads as well ($200).
Figure 5. Price for 888 RAT
Figure 6. Cracked version of 888 RAT builder
888 RAT has not been directly identified with any organized campaigns before; this is the first time this RAT has been assigned as an indicator of a cyberespionage group.