The concept of using RAT apps to pull off such attacks could be used to target any group of people.

In what is dubbed the BladeHawk campaign, cybercriminals have been distributing (via Facebook profiles) two Android backdoor known as 888 RAT and SpyNote, disguised as legitimate apps.

Their target: a mobile espionage campaign against the Kurdish ethnic group. This campaign has been active since at least March 2020, appearing to provide Android news in Kurdish, and news for the Kurds’ supporters.

Researchers from cybersecurity firm ESET have identified six Facebook profiles distributing Android spying apps as part of this campaign conducted by the BladeHawk group. The profiles have been sharing the espionage apps to Facebook public groups, most of which are supporters of Masoud Barzani, former President of the Kurdistan Region, an autonomous region in northern Iraq. Altogether, the targeted Facebook groups have over 11,000 followers.

A total of 28 unique Facebook posts have been identified as part of this BladeHawk campaign. Each of these posts contained fake app descriptions and links from which ESET researchers were able to download 17 unique APKs. Some of the APK web links pointed directly to the malicious app, whereas others pointed to a third-party upload service that tracks the number of file downloads.

At the time of reporting, the spying apps had already been downloaded 1,418 times.

Espionage by remote administration tools (RATs) 

Most of the malicious Facebook posts had led to downloads of the commercial, multiplatform 888 RAT, which has been available on the black market since 2018.

The Android 888 RAT is capable of executing 42 commands received from its command and control (C&C) server. It can steal and delete files from a device, take screenshots, get the device location, phish Facebook credentials, get a list of installed apps, steal user photos, take photos, record surrounding audio and phone calls, make calls, steal SMS messages, steal the device’s contact list, and send text messages.

This espionage activity is directly connected to two cases publicly disclosed in 2020. In one case, the QiAnXin Threat Intelligence Center had named BladeHawk as the group behind the attacks. Both campaigns were distributed via Facebook, using malware that was built with commercial, automated tools (888 RAT and SpyNote), with all samples of the malware using the same C&C servers.  

Said one of the researcher who investigated this BladeHawk campaign, Lukáš Štefanko: “We reported these profiles to Facebook and they have all been taken down. Two of the profiles were aimed at tech users while the other four had posed as Kurd supporters.”