Meta has disrupted two separate cyberespionage groups from Iran that were using a variety of tactics on its platforms to target academics, activists, journalists and other victims. One of the groups, which has not been previously identified, was impersonating legitimate companies and used a complex network of fake personas across Facebook, Telegram, and other platforms to entice victims.
The disruptions are part of Meta’s efforts to remove malicious and inauthentic behavior from its platforms, and the company regularly takes down disinformation, cyberespionage, and other operations. In its most recent Adversarial Threat report, released Thursday, Meta said that the newly identified group from Iran was targeting companies in the energy, maritime, semiconductor, and telecom industries in several countries, including the United States, Israel, Russia, Canada, and others. The unnamed group relied on phishing and extensive social engineering tactics to target victims in those industries. One of the group’s key tactics was to spoof the domains of legitimate companies and also create a network of fake recruiting firms.
“This group took steps to conceal their activity and protect their malicious tools by embedding interactive features in them that would only send the malicious payload after the targets interacted with the attacker in real time. For example, an interview app would launch a built-in chat function for an attacker to supply a password to start an interview. When the target entered the password, it activated the delivery of the malware. A chess app also required a passcode, supplied by the hackers, to launch the game and the malware delivery,” the Meta report says.
The attack group used a handful of different custom malware tools in its operations, including a fake VPN app, an audio book reader, and a chat app.
“They developed malware on the VMWare ThinApp virtualization platform, which allowed them to run it on many different systems and hold malicious payload back until the last minute, making malware detection more challenging. The final payload included full-featured remote-access trojans, capable of running commands on the target’s device, access and send files, take screenshots, and download and execute additional malware,” the report says.
The Meta researchers said that this group employed some tactics and techniques that are similar to the Tortoiseshell group. Tortoiseshell first emerged in 2019 and originally targeted IT companies in the Middle East. But last year Meta disrupted some of the group’s operations on its various platforms and said that its targeting had expanded to include defense and aerospace companies in Europe and the U.S.
The second group that Meta disrupted recently is known as UNC788 and is one of several well-known and prolific APT groups operating from Iran. Meta has taken action against the group in the past, as have Google and other major platform providers. UNC788’s recent activity on Meta’s platforms used typical phishing and social engineering tactics, along with fictitious personas and custom malware tools. “To compromise people’s accounts and devices, this group copied and modified a legitimate Android application — a birthday calendar app — so it could extract contact information and send it to the attacker’s remote server. They also developed remote access-capable malware for Android that disguised as a Quran, a chat app to retrieve people’s contacts list, text messages, files, location information, and activate camera and microphone,” Meta’s report says.
In addition to the pair of Iranian groups, Meta also disrupted the activities of a group in Azerbaijan that was targeting activists, journalists, and dissidents through phishing, credential theft, and influence operations.