Meta

Taking Action Against Hackers in Pakistan and Syria

Today, we are sharing actions we’ve taken against four distinct groups of hackers in Pakistan and Syria over the past several months. To disrupt these malicious groups, we disabled their accounts, blocked their domains from being posted on our platform, shared information with our industry peers, security researchers and law enforcement, and alerted the people who we believe were targeted by these hackers.

The group from Pakistan — known in the security industry as SideCopy — targeted people who were connected to the previous Afghan government, military, and law enforcement in Kabul. In Syria, we removed three distinct hacker groups with links to the Syrian government. The first network in Syria — known as the Syrian Electronic Army — targeted human rights activists, journalists and other groups opposing the ruling regime. We linked this activity to Syria’s Air Force Intelligence. The second network from Syria — known in the security community as APT-C-37 — targeted people linked to the Free Syrian Army and former military personnel who had since joined the opposition forces. Our investigation linked this activity by APT-C-37 to what we believe is a separate unit in Syria’s Air Force Intelligence. Finally, the third network from Syria targeted minority groups, activists, opposition, Kurdish journalists, activists, members of the People’s Protection Units (YPG), and Syria Civil Defense or White Helmets, a volunteer-based humanitarian organization. Our investigation found links between this activity and individuals associated with the Syrian government.

Meta’s threat intelligence analysts and security experts work to find and stop a wide range of threats including cyber espionage campaigns, influence operations and hacking of our platform by nation-state actors and other groups. As part of these efforts, our teams routinely disrupt adversary operations by disabling them, notifying users if they should take steps to protect their accounts, sharing our findings publicly and continuing to improve the security of our products.

Here are the details on each disruption:

1. Pakistan

In August, we removed a group of hackers from Pakistan, known in the security industry as SideCopy, that targeted people in Afghanistan, particularly those with links to the Afghan government, military and law enforcement in Kabul. Given the ongoing crisis and the government collapse at the time, we moved quickly to complete the investigation and take action to protect people on our platform, share our findings with industry peers, law enforcement and researchers, and alert those who we believe were targeted. In addition, we rolled out a number of security measures for people in Afghanistan to protect their Facebook accounts.

This malicious activity had the hallmarks of a well-resourced and persistent operation while obfuscating who’s behind it. On our platform, this cyber espionage campaign ramped up between April and August of 2021 and manifested primarily in sharing links to malicious websites hosting malware.

We identified the following tactics, techniques and procedures (TTPs) used by this threat actor across the internet, including on our apps (threat indicators can be found at the end of the report):

2. Syria

In October, we took down a hacking group, known in the security community as the Syrian Electronic Army (SEA) or APT-C-27, that targeted people in Syria, including humanitarian organizations, journalists and activists in Southern Syria, critics of the government, and individuals associated with the anti-regime Free Syrian Army. Our investigation found that this threat actor has been subsumed into the Syrian government forces in recent years, with this latest activity linked to Syria’s Air Force Intelligence. On our platform, this campaign manifested primarily in targeting people with social engineering tactics to trick them into clicking on links or downloading malicious software.

We identified the following TTPs used by this threat actor across the internet, including on our apps (threat indicators can be found at the end of the report):

3. Syria

In October, we took down a hacking group, known in the security community as APT-C-37, that targeted people linked to the Free Syrian Army and former military personnel who had since joined the opposition forces. Our investigation linked this activity by APT-C-37 to what we believe is a separate unit in Syria’s Air Force Intelligence. This operation on our platform involved social engineering tactics to trick people into clicking on links to malicious websites hosting malware or credential phishing campaigns aimed at obtaining access to people’s Facebook accounts.

We identified the following TTPs used by this threat actor across the internet, including on our apps (threat indicators can be found at the end of the report):

4. Syria

We took down a hacking group that targeted minority groups; activists; opposition in Southern Syria, including in Sweida, Huran, Qunaitra and Daraa; Kurdish journalists, activists in Northern Syria, including Kamishl, Kubbani, Manbij, and Al-Hasakah; members of the People’s Protection Units (YPG); and Syria Civil Defense (the White Helmets, a volunteer-based humanitarian organization). Our investigation found links between this activity and individuals associated with the Syrian government. On our platform, this operation manifested primarily as social engineering and sharing links to malicious websites.

We identified the following TTPs used by this threat actor across the internet, including on our apps (threat indicators can be found at the end of the report):

Threat Indicators

1. Pakistan

Domains & C2s:

Domain Description
androappstore[.]com Hosting PJobRAT and Mayhem
www[.]apphububstore[.]in Hosting PJobRAT
appsstore[.]in Hosting PJobRAT
apkstore.filehubspot[.]com Believed to be hosting PJobRAT
helloworld.bounceme[.]net Command and control server for PJobRAT
dasvidaniya.ddns[.]net Command and control server for PJobRAT
gemtool.sytes[.]net Command and control server for PJobRAT
saahas.servecounterstrike[.]com Command and control server for Mayhem

Hashes:

MD5 Description Malware Family
7804aa608d73e7a9447ae177c31856fe ViberLite v4 PJobRAT
a80a1b022fdcaa171e454086711dcf35 ViberLite v3 PJobRAT
a4f104e2058261c7dbfc1c69e1de8bce ViberLite v2 PJobRAT
4ce92da8928a8d1d72289d126a9fe2f4 HangOn V4e PJobRAT
a53c74fa923edce0fa5919d11f945bcc HangOn v4 PJobRAT
9fd4b37cbaf0d44795319977118d439d HangOn PJobRAT
7bef7a2a6ba1b2aceb84ff3adb5db8b3 TrendBanter PJobRAT
v21b4327d6881be1893fd2a8431317f6b Happy Chat Mayhem

2. SEA / APT-C-27

Domains & C2s:

Domain / IP Description
faccebookaccunt[.]blogspot[.]com Credential phishing
ruba-bakkour-facebook[.]blogspot[.]com Credential phishing
chatsafe[.]tecnova.com[.]br Distribution of SilverHawk in 2020
download-telegram.vercel[.]app Used by SEA affiliated individuals to distribute a new unnamed Android family
download-revo.vercel[.]app Used by SEA affiliated individuals to distribute a new unnamed Android family
82.137.218[.]185 Command and control server. Used to distribute a variety of commodity and custom Android malware.

Hashes:

MD5 Description Malware Family
df196bd42e1da1d34c23c8d947561618 Fake version of Telegram Unnamed
ccabc8f4868184a04b032b34d9303810 Trojanized Syrian News app Unnamed

3. APT-C-37

Domains & C2s:

Domain / IP Description
82.137.255[.]0 Long running command and control server

Hashes:

MD5 Description Malware Family
969fe5597a44bf4eb66ebdc7b09ef2c8 Fake version of WhatsApp SSLove

4. Unnamed Cluster

Domains & C2s:

Domain / IP Description
f-b[.]today Hosting SpyMax
messengers[.]video Hosting SpyMax
whatsapp-sy[.]com Hosting SpyMax
horan-free[.]com Believed to have been hosting SpyMax
druze[.]life Believed to have been hosting SpyMax
suwayda-24[.]com Believed to have been hosting SpyMax
t-me[.]link Believed to have been hosting SpyMax
lamat-horan[.]com Hosting unnamed Android malware
anti-corona[.]app Believed to have been hosting SpyMax
what-sapp[.]site Believed to have been hosting SpyMax
informnapalm[.]net Hosting trojanized apps for the YPG, Syrian Civil Defense, and malware pretending to be an update for WhatsApp.
facebook-helps-center[.]com Older infrastructure hosting SpyMax malware pretending to be a WhatsApp update.
46.4.83[.]140 Command and control server
sputniknews[.]news Believed to be attacker controlled
emmashop[.]app Believed to be attacker controlled
face-book[.]xyz Believed to be attacker controlled.

Hashes:

MD5 Description Malware Family
762acdd53eb35cd48686b72811ba9f3c Hosted on lamat-horan[.]com.
First seen in 2019.
0 detections on VT.
Unnamed
fcf357556c3af14bab820810f5e94436 Hosted on f-b[.]today.
Masquerading as a Syrian satellite TV app.
SpyMax
e8a528491b28e4d62a472da7396c7047 Hosted on f-b[.]today.
Masquerading as a YouTube update.
SpyMax
1c16ee8b2f0dff7280e1d97522ee7e3f Hosted on informnapalm[.]net.
A Syria themed APK.
SpyNote
ce274c0bd0743695529a43d7992e2d2c Hosted on informnapalm[.]net.
Masquerading as a WhatsApp update.
SpyMax
185062606b168f04b8b583045d300be5 Hosted on informnapalm[.]net.
Masquerading as an app for the YPG.
SpyMax
c2e55b0d7be1c1991a5b70be7280e528 Hosted on informnapalm[.]net.
Masquerading as an app for the Syrian Civil Defence.
SpyMax