Both APT36 and Bitter APT were observed orchestrating cyber-espionage campaigns earlier this year, so Facebook’s report gives a new dimension to their recent activities. UK NHS suffers outage after cyberattack on managed service provider. The Pakistan-aligned state-sponsored actor APT36 was recently exposed in a campaign targeting the Indian government using MFA-bypassing tools. The Bitter APT was also observed in May 2022, targeting the government of Bangladesh with a new malware that featured remote file execution capabilities.
One of the highlights of the Q2 2022 adversarial threat report from Meta (Facebook) is the identification of two cyber-espionage clusters linked to the hacker organisations Bitter APT and APT36 (also known as “Transparent Tribe”) that use fresh Android malware. These cyberspying agents utilise social media sites like Facebook to gather intelligence (OSINT) or to approach victims under false identities and then coerce them into downloading malware from external platforms.
“This group has aggressively responded to our detection and blocking of its activity and domain infrastructure,” comments Meta in the report. “For example, Bitter would attempt to post broken links or images of malicious links so that people would have to type them into their browser rather than click on them — all in an attempt to unsuccessfully evade enforcement.”
Meta’s report explains that Bitter APT engaged in social engineering against targets in New Zealand, India, Pakistan, and the United Kingdom, using lengthy interactions and investing significant time and effort. The group’s goal was to infect its targets with malware, and for this purpose, it used a combination of URL shortening services, compromised sites, and third-party file hosting providers.
Bitter’s recent attacks also revealed additions in the threat actor’s arsenal in the form of two mobile apps, targeting iOS and Android users, respectively. The iOS version was a chat app delivered via Apple’s Testflight service, a testing space for app developers. Typically, threat actors convince victims to download these chat apps by presenting them as “safer” or “more secure.” The Android app discovered by Facebook is a new malware that Meta named ‘Dracarys,’ which abuses accessibility services to give itself increased permissions without the user’s consent.