Facebook Shuts Down Two Hacking Groups in Palestine

Wednesday, April 21, 2021

Ionut Arghire


Social media giant Facebook today announced that it took action against two groups of hackers originating from Palestine that abused its infrastructure for malware distribution and account compromise across the Internet. 

One of the dismantled networks was linked to the Preventive Security Service (PSS), one of the several intelligence services of Palestine, while the other was associated with Arid Viper, an established threat actor in the Gaza region.

The two clusters of activity, Facebook says, were not connected to one another, as one was focused on domestic audiences, while the other primarily targeted Palestinian territories and Syria, but also hit Turkey, Iraq, Lebanon and Libya.

As part of the shutdown operation, Facebook took down accounts, blocked domains, sent alerts to people who were targeted, and released malware hashes to the public.

“The groups behind these operations are persistent adversaries, and we know they will evolve their tactics in response to our enforcement,” Facebook says.

The PSS-linked activity originated in the West Bank and focused on targets outside Palestine, employing social engineering to lure individuals into clicking on malicious links and getting infected with malware.

Targets included journalists, opponents of the Fatah-led government, human rights activists, the Syrian opposition, Iraqi military, and other military groups.

An in-house built Android malware family associated with the operation masqueraded as a chat application and collected device metadata, call logs, text messages, contacts, and location, and only rarely exhibited keylogging capabilities. All data was sent to mobile app development platform Firebase.

The group also employed the publicly available Android malware family SpyNote, offers remote access to devices, and deployed publicly available Windows malware, such as NJRat and HWorm. Fake and compromised accounts were used to build trust in targeted individuals.

Also referred to as Desert Falcons, and DHS, Arid Viper has been active for more than half a decade and is likely closely connected to the Molerats APT. The newly observed activity, Facebook says, targeted government officials in Palestine, members of the Fatah party, students, and security forces.

The threat actor employed a large infrastructure of more than one hundred websites that hosted iOS and Android malware, were designed for phishing, or functioned as command and control (C&C) servers.

“They appear to operate across multiple internet services, using a combination of social engineering, phishing websites and continually evolving Windows and Android malware in targeted cyber espionage campaigns,” Facebook says.

As part of the observed activity, the adversary used custom-built iOS surveillanceware dubbed Phenakite and tricked users into installing a mobile configuration profile for the malware to be effective. The malware was packed inside a Trojanized, fully-functional chat application and could direct victims to phishing pages for Facebook and iCloud.

While the app could be installed without jailbreak, the malware did require one to elevate privileges and access sensitive user information. The publicly available Osiris jailbreak tool was used for this purpose.

Arid Viper also employed Android malware that resembled FrozenCell and VAMP and which required installation of apps from third-party sources. Variants of the Micropsia malware family were also used.

The distribution of malware relied on social engineering, with 41 attacker-controlled phishing sites used to distribute the Android malware, and a 3rd party Chinese app development site employed for the delivery of iOS malware.

Facebook says that, for roughly two years, it has been in contact with industry partners to share information about the discovered activity and proceed with the identification and blocking of the threat actors. 

Related: Facebook Removes 14 Networks Fueling Deceptive Campaigns

Related: Facebook Says Hackers 'Scraped' Data of 533 Million Users in 2019 Leak

Related: Facebook Disrupts Chinese Spies Using iPhone, Android Malware

Infosec Island Budgets Enterprise Security Policy Security Awareness Security Training
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.

Most Liked