{"id":40551,"date":"2021-04-22T02:11:34","date_gmt":"2021-04-22T02:11:34","guid":{"rendered":"http:\/\/1fe814bb-52bd-41bd-9030-33c36e883926"},"modified":"2021-04-22T02:11:34","modified_gmt":"2021-04-22T02:11:34","slug":"facebook-uncovers-palestinian-government-officials-targeted-with-malware","status":"publish","type":"post","link":"https:\/\/www.threatshub.org\/blog\/facebook-uncovers-palestinian-government-officials-targeted-with-malware\/","title":{"rendered":"Facebook uncovers Palestinian government officials targeted with malware"},"content":{"rendered":"

Facebook has published new findings that unveil two Palestinian organisations have been running cyberespionage campaigns against government officials, student groups, and security forces.<\/p>\n

The two groups both used fake and compromised social media accounts posing primarily as young women, and also as Fatah or Hamas supporters, various military groups, journalists, and activists to build trust with people in order to trick them into installing malicious software.<\/p>\n

According to Facebook, one group dubbed as Arid Viper has been linked to the cyber arm of Hamas. Meanwhile, the other is linked to the Palestinian Preventive Security Service (PSS), one of the security arms of Palestine, where the current president is a member of the Fatah party. Fatah and Hamas have been engaged in a civil war since 2006.<\/p>\n

Publishing a threat report<\/a> [PDF] of Arid Viper’s activity, Facebook said the threat actor used fully functional custom iOS surveillanceware that was capable of stealing sensitive user data from iPhones without requiring the devices to be jailbroken. <\/p>\n

The surveillanceware, labelled as Phenakite, was trojanised inside fully functional chat applications that used the open-source RealtimeChat code for legitimate reasons. This malware could also direct victims to phishing pages for Facebook and iCloud in order to steal credentials for those services. As this process used legitimate developer certificates, iOS devices did not need to be jailbroken to be surveilled. <\/p>\n

While Phenakite did not require a jailbreak for installation, once on a device, it needed to adhere to the usual operating system security controls that prevent access to sensitive information from unauthorised applications. To circumvent that, Phenakite came bundled with the publicly available Osiris jailbreak and the Sock Port exploit, which meant that Phenakite was capable of using Osiris to jailbreak all 64-bit devices on iOS 11.2 to 11.3.1 or the Sock Port exploit to extend this to devices running iOS 10.0 to 12.2 <\/p>\n

If the Osiris jailbreak was successful, Phenakite could then retrieve photos from the camera roll, take images with the device camera, retrieve contacts, silently record audio, access documents and text messages, and upload WhatsApp data. <\/p>\n

<\/section>\n

The Android malware deployed by Arid Viper, meanwhile, required victims to install apps from third-party sources on their devices. The group used hundreds of attacker-controlled sites, along with the aforementioned fake social media accounts, to create the impression that the apps were legitimate in order to convince victims into installing them. <\/p>\n

The trojanised chat applications in both Android and iOS were primarily pretending to be dating apps. <\/p>\n

\"facebook-arid-viper.png\"<\/span>