Facebook shuts Pakistani hacker group APT36: How it operated, apps used and more

Facebook has shut down on a cyber espionage operation linked to hackers in Pakistan that targeted people in India, including military personnel and government officials. This Pakistani group of hackers is known in the security industry as APT36. According to Meta’s quarterly ‘Adversarial Threat Report, their modus operandi included various methods like honey trapping and infiltrating victims’ devices with malware. “Our investigation connected this activity to state-linked actors in Pakistan,” Meta said in its report.
How did the APT36 hackers worked
According to the report, the group targeted many services across the Internet — from email providers to file-hosting services to social media. “APT36 used various malicious tactics to target people online with social engineering to infect their devices with malware. They used a mix of malicious and camouflaged links, and fake apps to distribute their malware targeting Android and Windows-run devices,” says Meta’s report.
The Pakistani hacker group used fictitious personas — posing as recruiters for both legitimate and fake companies, military personnel or attractive young women looking to make a romantic connection — in an attempt to build trust with the people they targeted. The group deployed a wide range of tactics, including the use of custom infrastructure, to deliver their malware. Additionally, this group used common file-sharing services like WeTransfer to host malware for short periods of time.

APT36 used fake versions of WhatsApp, YouTube, Google Drive and more
Meta found that in this recent operation, APT36 had also trojanised (non-official) versions of WhatsApp, WeChat and YouTube with another commodity malware family known as Mobzsar or CapraSpy. The Pakistan-based hackers also used link-shortening services to disguise malicious URLs.
They used social cards and preview sites — online tools used in marketing to customise what image is displayed when a particular URL is shared on social media — to mask redirection and ownership of domains APT36 controlled. “Some of these domains masqueraded as photo-sharing websites or generic app stores, while others spoofed the domains of real companies like the Google Play Store, Microsoft‘s OneDrive, and Google Drive,” the report adds.

In several cases, this group used a modified version of commodity Android malware known as ‘XploitSPY’ available on Github. While ‘XploitSPY’ appears to have been originally developed by a group of self-reported ethical hackers in India, APT36 made modifications to it to produce a new malware variant called ‘LazaSpy’. “Both malware families are capable of accessing call logs, contacts, files, text messages, geolocation, device information, photos and enabling microphone,” said the report.