How did the APT36 hackers worked
According to the report, the group targeted many services across the Internet — from email providers to file-hosting services to social media. “APT36 used various malicious tactics to target people online with social engineering to infect their devices with malware. They used a mix of malicious and camouflaged links, and fake apps to distribute their malware targeting Android and Windows-run devices,” says Meta’s report.
The Pakistani hacker group used fictitious personas — posing as recruiters for both legitimate and fake companies, military personnel or attractive young women looking to make a romantic connection — in an attempt to build trust with the people they targeted. The group deployed a wide range of tactics, including the use of custom infrastructure, to deliver their malware. Additionally, this group used common file-sharing services like WeTransfer to host malware for short periods of time.
APT36 used fake versions of WhatsApp, YouTube, Google Drive and more
Meta found that in this recent operation, APT36 had also trojanised (non-official) versions of WhatsApp, WeChat and YouTube with another commodity malware family known as Mobzsar or CapraSpy. The Pakistan-based hackers also used link-shortening services to disguise malicious URLs.
They used social cards and preview sites — online tools used in marketing to customise what image is displayed when a particular URL is shared on social media — to mask redirection and ownership of domains APT36 controlled. “Some of these domains masqueraded as photo-sharing websites or generic app stores, while others spoofed the domains of real companies like the Google Play Store, Microsoft‘s OneDrive, and Google Drive,” the report adds.
In several cases, this group used a modified version of commodity Android malware known as ‘XploitSPY’ available on Github. While ‘XploitSPY’ appears to have been originally developed by a group of self-reported ethical hackers in India, APT36 made modifications to it to produce a new malware variant called ‘LazaSpy’. “Both malware families are capable of accessing call logs, contacts, files, text messages, geolocation, device information, photos and enabling microphone,” said the report.