Facebook threat intelligence analysts say they discovered campaigns linked to AridViper, an espionage group that has been active since 2015, uses Android and Windows malware and advanced social engineering tactics to target journalists, human rights activists and military groups in Palestine, Syria, Turkey, Iraq, Lebanon and Libya for cyber espionage.
Facebook accounts associated with the hacking networks, including downloading of malware, had been cancelled and it had notified targets and shared the findings with other tech companies to prevent distribution of malware.
AridViper, which is also known as DesertFalcon and APT-C-23, was first reported conducting cyber espionage campaigns in the Middle East by Kaspersky Lab in 2015.The APT group used more than 100 websites that hosted iOS and Android malware used for credential theft.
Researchers uncovered a never-before-seen, custom-built iOS malware strain dubbed Phenakite. “Installation of Phenakite required that people be tricked into installing a mobile configuration profile,” the report notes. “Post-installation, a jailbreak was necessary for the malware to elevate its privileges to retrieve sensitive user information not accessible via standard iOS permission requests. This was achieved with the publicly available Osiris jailbreak that made use of the Sock Port exploit, both of which were bundled in the malicious iOS app store packages.”
The group used an Android malware known as AridViper strain that’s similar to FrozenCell and VAMP, Facebook notes. This malware was spread through attacker-controlled phishing sites, the report notes.