BladeHawk Android espionage
The espionage activity reported here is directly connected to two publicly
disclosed cases published in 2020. QiAnXin Threat Intelligence Center named the
group behind these attacks BladeHawk, which we have adopted. Both campaigns
were distributed via Facebook, using malware that was built with commercial,
automated tools (888 RAT and SpyNote), with all samples of the malware using
the same C&C servers.
Distribution
We identified six Facebook
profiles as part of this BladeHawk campaign, sharing these Android spying apps.
We reported these profiles to Facebook and they have all been taken down. Two
of the profiles were aimed at tech users while the other four posed as Kurd
supporters. All these profiles were created in 2020 and shortly after creation
they started posting these fake apps. These accounts, except for one, have not
posted any other content besides Android RATs masquerading as legitimate apps.
These profiles are also
responsible for sharing espionage apps to Facebook public groups, most of which
were supporters of Masoud Barzani, former President of the Kurdistan Region; an
example can be seen in Figure 1. Altogether, the targeted groups have over
11,000 followers.
Read full article on www.welivesecurity.com