South Asian Cyberespionage Actors Used Fake Facebook Profiles to Trick Victims
Social media giant Meta took down hundreds of fake Facebook and Instagram accounts used by South Asia advanced persistent threat groups to glean sensitive information and coax users into installing malware.
Facebook says it spotted an unnamed Pakistani-linked threat actor, the likely-Indian affiliated Patchwork advanced persistent group, and the Bahamut threat actor, whose affiliation is unknown (see: SideCopy APT Targets India’s Premier Defense Research Agency).
Meta removed 120 Facebook accounts of the unidentified Pakistani state-linked group, saying the hackers use fictitious personae to impersonate job recruiters, journalists and women looking to make a romantic connection. They favor the GravityRAT malware, “a low-sophistication malware family capable of gathering sensitive user data” with a history of use by actors targeting India.
The threat actors use domains that masquerade as file-storing and -sharing services or recruiting-related websites and also use Google Drive and Dropbox to host GravityRAT.
Meta also took action against India-based Patchwork, which targeted military personnel, activists and minority groups in Pakistan, India, Bangladesh, Sri Lanka, the Tibet region and China. Like Bahamut, Patchwork used around 50 fake personae on Facebook and Instagram, including those of defense intelligence consultants, military personnel and journalists.
Meta said Patchwork succeeded in placing malicious chat apps into the Google Play Store – apps that are no longer available. “These apps contained relatively basic malicious functionality with the access to user data solely reliant on legitimate app permissions granted by the end user,” the company wrote.
Meta also removed 110 Facebook and Instagram accounts used by the Bahamut hacking group to target military personnel, government employees, activists and other people in India and Pakistan. The company said Bahamut conducted cyberespionage activities using link-shortening services, compromised or attacker-controlled websites, official and spoofed app stores and third-party hosting providers.
Bahamut primarily uses fake social media personae of journalists, recruiters for large technology companies, students and activists to socially engineer people into downloading malware or sharing sensitive personal data. According to Meta, the APT group also sets up domains that mimic those of genuine regional media outlets, VPN providers, political organizations, or legitimate app stores and masquerade as secure chat, file-sharing, connectivity, or news applications.
This isn’t the first time that Meta has cracked down on threat groups. The company said last August said that it had taken action against South Asia-based Bitter APT and Pakistan-based APT36 for using fake social media personae and distributing malware.