Facebook revealed it has disrupted four groups of hackers from Pakistan and Syria that used its social-media platform to conduct attacks against a wide range of targets in Afghanistan and Syria, including former Afghan officials, civil society, journalists, humanitarian organizations and the anti-regime military forces.
According to Meta, Facebook's parent company, the Pakistan-based group, known as SideCopy, targeted individuals who were connected to the previous Afghan government, military, and law enforcement in Kabul using "romantic lures" from what appeared to be young women on Facebook in order to trick the victims into giving the hackers access to their pages. The campaign, which took place between April and August of 2021, involved malicious links that redirected users to phishing websites hosting malware.
The hackers operated fake app stores and compromised legitimate websites to trick targets into installing trojanized chat apps disguised as Viber and Signal, or custom-made Android apps that contained malware to compromise devices. Among them were apps named HappyChat, HangOn, ChatOut, TrendBanter, SmartSnap, and TeleChat - some of which were in fact functioning chat applications. These apps delivered two malware families - the PJobRAT spyware and a previously undocumented Android malware called ‘Mayhem’.
The second hacking group, known as the Syrian Electronic Army (SEA) or APT-C-27, targeted people in Syria, including humanitarian organizations, journalists and activists in Southern Syria, critics of the government, and individuals associated with the anti-regime Free Syrian Army, mainly using social engineering tactics to trick victims into installing malware.
The third Syrian hacker group, APT-C-37, was focused on targeting people linked to the Free Syrian Army and former military personnel who had since joined the opposition forces. This group relied on social engineering to distribute malware known as SandroRAT and a custom Android malware strain called 'SSLove'. The malware allowed attackers to retrieve sensitive user data, including call logs, contact information, device information, user accounts, take photos, and retrieve attacker specified files.
The fourth threat actor, believed to be working on behalf of the Syrian government, targeted minority groups; activists; opposition in Southern Syria, including in Sweida, Huran, Qunaitra and Daraa; Kurdish journalists, activists in Northern Syria, including Kamishl, Kubbani, Manbij, and Al-Hasakah; members of the People’s Protection Units (YPG); and Syria Civil Defense (the White Helmets, a volunteer-based humanitarian organization). The group operated websites hosting Android malware called 'SpyNote' and 'SpyMax' masquerading as apps and updates themed around the United Nations, White Helmets, YPG, Syrian satellite TV, COVID-19, WhatsApp and YouTube.
The company did not provide figures on the number of accounts potentially affected by the above mentioned malicious campaigns. Meta said it has shared the information with the relevant authorities, and warned affected users.