How APT36 Hackers Work
According to the report, the group targeted multiple services on the Internet – from email providers to file-hosting services to social media. “APT36 used various malicious tactics to target people online, along with social engineering to infect their devices with malware. They used a mix of malicious and pseudo-links and fake apps to deliver their malware targeting. did. Android and Windows-running devices,” says the Meta report.
Pakistani hacker groups used fictitious individuals – both legitimate and fake – posing as recruits for companies, military personnel or attractive young women in an effort to build trust with their targets. The group deployed a variety of strategies, including the use of custom infrastructure, to distribute its malware. Additionally, this group used common file-sharing services such as WeTransfer to host malware for a short period of time.
APT36 used fake versions of WhatsApp, YouTube, Google Drive and others
Meta found that in this recent operation, APT36 had also Trojanized (non-official) versions of WhatsApp, WeChat And YouTube along with another commodity malware family called . is referred to as mobzsari or CapraSpy. Pakistan-based hackers also used link-shortening services to hide malicious URLs.
They used social cards and preview sites – online tools used in marketing, to customize the image displayed when a particular URL is shared on social media – to control redirection and domain ownership. To APT36 is controlled. “Some of these domains have been masqueraded as photo-sharing websites or generic app stores, while others have spoofed the domains of genuine companies, such as the Google Play Store, MicrosoftOneDrive, and Google Drive,” the report said.
In several cases, this group used a modified version of the commodity Android malware known as ‘XploitSPY’ available on Github. While ‘XploitSPY’ appears to have been originally developed by a group of self-reported ethical hackers in India, APT36 modified it to produce a new malware variant called ‘LazaSpy’. “Both malware families are capable of accessing call logs, contacts, files, text messages, geolocation, device information, photos and enabling microphones,” the report said.