Pakistani Hackers Used ‘Romantic Lures’ To Target Afghan Officials: Report

File Image

Hackers from Pakistan used Facebook to target people in Afghanistan, the company’s threat investigators said.

The social media company, which recently changed its name to Meta, said “in August, we removed a group of hackers from Pakistan, known in the security industry as SideCopy, that targeted people in Afghanistan, particularly those with links to the Afghan government, military and law enforcement in Kabul. Given the ongoing crisis and the government collapse at the time, we moved quickly to complete the investigation and take action to protect people on our platform, share our findings with industry peers, law enforcement and researchers, and alert those who we believe were targeted. In addition, we rolled out a number of security measures for people in Afghanistan to protect their Facebook accounts.”

“This malicious activity had the hallmarks of a well-resourced and persistent operation while obfuscating who’s behind it. On our platform, this cyber-espionage campaign ramped up between April and August of 2021 and manifested primarily in sharing links to malicious websites hosting malware,” Facebook’s head of cyber espionage investigations, Mike Dvilyanski, said.

Facebook said, “we identified the following tactics, techniques and procedures (TTPs) used by this threat actor across the internet, including on our apps (threat indicators can be found at the end of the report):

  • This group created fictitious personas — typically young women — as romantic lures to build trust with potential targets and trick them into clicking on phishing links or downloading malicious chat applications.
  • They operated fake app stores and also compromised legitimate websites to host malicious phishing pages to manipulate people into giving up their Facebook credentials.
  • SideCopy attempted to trick people into installing trojanized chat apps (i.e. they contained malware that misled people about its true intent), including messengers posing as Viber and Signal, or custom-made Android apps that contained malware to compromise devices. Among them were apps named HappyChat, HangOn, ChatOut, TrendBanter, SmartSnap, and TeleChat — some of which were in fact functioning chat applications.
  • These apps typically included two malware families: PJobRAT and a previously unreported Android malware strain we are calling Mayhem. These two families have the ability to retrieve people’s contact list, text messages, call logs, location information, media files on the device or connected external storage, and general device metadata. They can also scrape content on the device’s screen via accessibility services.
  • In August, 2021, the group shifted to using bit[.]ly URL shortener links to mask the final destination they were redirecting their targets to after they clicked on the malicious link.

The same tactics were used against India

SideCopy malware campaigns, targeting entities in India. In the past, the attackers have used malicious LNK files and documents to distribute their staple C#-based RAT. We are calling this malware “CetaRAT.” SideCopy also relies heavily on the use of Allakore RAT, a publicly available Delphi-based RAT.

Click here for Latest News updates and viral videos on our AI-powered smart news

For viral videos and Latest trends subscribe to NewsMobile YouTube Channel and Follow us on Instagram


Please enter your comment!
Please enter your name here