BladeHawk group: Android espionage in opposition to Kurdish ethnic group

BladeHawk group: Android espionage against Kurdish ethnic group

ESET researchers have investigated a cellular espionage marketing campaign that targets the Kurdish ethnic group and has been lively since a minimum of March 2020

ESET researchers have investigated a focused cellular espionage marketing campaign in opposition to the Kurdish ethnic group. This marketing campaign has been lively since a minimum of March 2020, distributing (by way of devoted Fb profiles) two Android backdoors referred to as 888 RAT and SpyNote, disguised as legit apps. These profiles seemed to be offering Android information in Kurdish, and information for the Kurds’ supporters. Among the profiles intentionally unfold extra spying apps to Fb public teams with pro-Kurd content material. Knowledge from a obtain web site signifies a minimum of 1,481 downloads from URLs promoted in just some Fb posts.

The newly found Android 888 RAT has been utilized by the Kasablanka group and by BladeHawk. Each of them used various names to check with the identical Android RAT – LodaRAT and Gaza007 respectively.

BladeHawk Android espionage

The espionage exercise reported right here is instantly linked to 2 publicly disclosed circumstances printed in 2020. QiAnXin Menace Intelligence Middle named the group behind these assaults BladeHawk, which we now have adopted. Each campaigns had been distributed by way of Fb, utilizing malware that was constructed with business, automated instruments (888 RAT and SpyNote), with all samples of the malware utilizing the identical C&C servers.


We recognized six Fb profiles as a part of this BladeHawk marketing campaign, sharing these Android spying apps. We reported these profiles to Fb they usually have all been taken down. Two of the profiles had been geared toward tech customers whereas the opposite 4 posed as Kurd supporters. All these profiles had been created in 2020 and shortly after creation they began posting these pretend apps. These accounts, aside from one, haven’t posted some other content material moreover Android RATs masquerading as legit apps.

These profiles are additionally liable for sharing espionage apps to Fb public teams, most of which had been supporters of Masoud Barzani, former President of the Kurdistan Area; an instance could be seen in Determine 1. Altogether, the focused teams have over 11,000 followers.

Determine 1. One of many Fb posts

In a single case, we noticed an try (Determine 2) to seize Snapchat credentials by way of a phishing web site (Determine 3).

Determine 2. Fb submit resulting in a Snapchat phishing web site

Determine 3. Snapchat phishing web site

We recognized 28 distinctive posts as a part of this BladeHawk marketing campaign. Every of those posts contained pretend app descriptions and hyperlinks to obtain an app, and we had been in a position to obtain 17 distinctive APKs from these hyperlinks. Among the APK internet hyperlinks pointed on to the malicious app, whereas others pointed to the third-party add service, which tracks the variety of file downloads (see Determine 4). Due to that, we obtained the entire variety of downloads from for these eight apps. These eight apps had been downloaded altogether 1,481 occasions, from July 20, 2020 till June 28, 2021.

Determine 4. Details about one RAT pattern hosted on a third-party service


To our information, this marketing campaign focused solely Android customers, with the menace actors centered on two business Android RAT instruments – 888 RAT and SpyNote. We discovered just one pattern of the latter throughout our analysis. Because it was constructed utilizing an outdated, already analyzed SpyNote builder, right here we embrace solely the evaluation of the 888 RAT samples.

Android 888 RAT

This business, multiplatform RAT was initially solely printed for the Home windows ecosystem for $80. In June 2018, it was prolonged within the Professional model with the extra functionality to construct Android RATs ($150). Later, the Excessive model may create Linux payloads as nicely ($200).

It was bought by way of the developer’s web site at 888-tools[.]com (see Determine 5).

Determine 5. Value for 888 RAT

In 2019 the Professional model (Home windows and Android) was discovered cracked (see Determine 6) and out there on a couple of web sites at no cost.

Determine 6. Cracked model of 888 RAT builder

888 RAT has not been instantly recognized with any organized campaigns earlier than; that is the primary time this RAT has been assigned as an indicator of a cyberespionage group.

Following this discovery, we had been in a position to join the Android 888 RAT to 2 extra organized campaigns: Spy TikTok Professional described right here and a marketing campaign by Kasablanka Group.


Android 888 RAT is able to executing 42 instructions acquired from its C&C server, as seen in Desk 1.

Briefly, it may steal and delete information from a tool, take screenshots, get machine location, phish Fb credentials, get a listing of put in apps, steal person images, take images, report surrounding audio and cellphone calls, make calls, steal SMS messages, steal the machine’s contact listing, ship textual content messages, and so forth.

The builder can be used because the C&C to regulate all of the compromised gadgets because it makes use of dynamic DNS to be reached by them.

Desk 1. Checklist of supported instructions

Command Performance
Unistxcr Show app particulars of specified app
dowsizetr Add file to server from /sdcard/DCIM/.dat/
DOWdeletx Delete file from /sdcard/DCIM/.dat/
Xr7aou Add binary file to server from /sdcard/DCIM/.dat/
Caspylistx Checklist information from /sdcard/DCIM/.dat/
spxcheck Examine whether or not name recording service is working
S8p8y0 Cease name recording service
Sxpxy1 Allow name recording service
screXmex Take screenshot and add to server
Batrxiops Get battery stage
L4oclOCMAWS Get machine location
FdelSRRT Delete file /sdcard/DCIM/.fdat (phished Fb credentials)
chkstzeaw Examine whether or not Fb app is put in
IODBSSUEEZ Add Fb credentials to C&C from /sdcard/DCIM/.fdat
GUIFXB Launch Fb phishing exercise
osEEs Get requested permissions of the desired utility
LUNAPXER Launch particular utility
Gapxplister Get listing of functions put in on the machine
DOTRall8xxe Compress information in /sdcard/DCIM/.dat/ listing and add them to C&C
Acouxacour Get all machine accounts
Fimxmiisx Take photograph from digital camera and add it to C&C
Scxreexcv4 Get details about machine cameras
micmokmi8x File surrounding audio for the desired time
DTXXTEGE3 Delete particular file from /sdcard listing
ODDSEe Open particular URL in default browser
Yufsssp Get Exif data from particular media file
getsssspo Get information about whether or not a particular file exists on machine
DXCXIXM Get names of all images saved in /sdcard/DCIM/
f5iledowqqww Add particular file from /sdcard/ listing
GExCaalsss7 Get name logs from machine
SDgex8se Checklist information from particular listing from /sdcard
PHOCAs7 Make name to specified quantity
Gxextsxms Get SMS inbox
Msppossag Ship SMS message to specified quantity
Getconstactx Get contacts
Rinxgosa Play ringtone for six seconds
Shetermix Execute shell command
bithsssp64 Execute shell script
Deldatall8 Cleanup, take away all /sdcard/DCIM/.dat information
pvvvoze Get IP tackle
paltexw Get TTL from PING command
M0xSSw9 Show particular Toast message to person

An essential issue when figuring out 888 RAT is the package deal title of the payload. The package deal title of each construct of an Android payload shouldn’t be customized or random; it at all times makes use of the com.instance.dat.a8andoserverx package deal ID. Due to this, it’s simple to determine such samples as 888 RAT.

In later variations of the 888 RAT (not the cracked RAT builder), we observed that the builder was able to obfuscating strings (command strings, C&C, and different plain textual content strings) by encrypting them utilizing AES with a hardcoded key; nonetheless, the package deal title nonetheless remained the identical.


888 RAT makes use of a customized IP protocol and port (it doesn’t should be commonplace ports). Compromised gadgets are managed instantly from the builder GUI.

Fb phishing

When this performance is triggered, 888 RAT will deploy phishing exercise that seems to be coming from the legit Fb app. When the person faucets on the latest apps button, this exercise will appear legit, as seen in Determine 7. Nevertheless, after an extended press on this app’s icon, as in Determine 8, the true app title liable for the Fb login request is disclosed.

Determine 7. Phishing request seen from the latest app menu

Determine 8. Actual utility title liable for phishing


Since 2018, ESET merchandise have recognized lots of of situations of Android gadgets the place the 888 RAT was deployed. Determine 9 presents the nation distribution of this detection information.

Determine 9. Detection of Android 888 RAT by nation


This espionage marketing campaign has been lively since March 2020 aiming solely at Android gadgets. It focused the Kurdish ethnic group by way of a minimum of 28 malicious Fb posts that might lead potential victims to obtain Android 888 RAT or SpyNote. A lot of the malicious Fb posts led to downloads of the business, multiplatform 888 RAT, which has been out there on the black market since 2018. In 2019, a cracked copy of the Professional model of the 888 RAT builder was made out there from a couple of web sites, and since then, we detected lots of of circumstances all world wide utilizing the Android 888 RAT.


Information and ESET detection names

SHA-1 Detection title
87D44633F99A94C9B5F29F3FE75D04B2AB2508BA Android/Spy.Agent.APU
E47AB984C0EC7872B458AAD803BE637F3EE6F3CA Android/Spy.Agent.APG
9A8E5BAD246FC7B3D844BB434E8F697BE4A7A703 Android/Spy.Agent.APU
FED42AB6665649787C6D6164A6787B13513B4A41 Android/Spy.Agent.APU
8E2636F690CF67F44684887EB473A38398234430 Android/Spy.Agent.APU
F0751F2715BEA20A6D5CD7E9792DBA0FA45394A5 Android/Spy.Agent.APU
60280E2F6B940D5CBDC3D538E2B83751DB082F46 Android/Spy.Agent.APU
F26ADA23739366B9EBBF08BABD5000023921465C Android/Spy.Agent.APU
4EBEED1CFAC3FE5A290FA5BF37E6C6072A6869A7 Android/Spy.Agent.APU
A15F67430000E3F6B88CD965A01239066C0D23B3 Android/Spy.Agent.BII
425AC620A0BB584D59303A62067CC6663C76A65D Android/Spy.Agent.APU
4159E3A4BD99067A5F8025FC59473AC53E07B213 Android/Spy.Agent.APU
EF9D9BF1876270393615A21AB3917FCBE91BFC60 Android/Spy.Agent.APU
231296E505BC40FFE7D308D528A3664BFFF069E4 Android/Spy.Agent.APU
906AD75A05E4581A6D0E3984AD0E6524C235A592 Android/Spy.Agent.APU
43F36C86BBD370884E77DFD496FD918A2D9E023D Android/Spy.Agent.APU
8B03CE129F6B1A913B6B143BB883FC79C2DF1904 Android/Spy.Agent.APU

Fb profiles


Fb teams




MITRE ATT&CK methods

This desk solely covers TTPs for 888 RAT, and was constructed utilizing model 9 of the ATT&CK framework.

Tactic ID Identify Description
Preliminary Entry T1444 Masquerade as Respectable Software The 888 RAT impersonates legit functions.
Persistence T1402 Broadcast Receivers The 888 RAT listens for the BOOT_COMPLETED broadcast, guaranteeing that the app’s performance will probably be activated each time the machine begins.
Protection Evasion T1508 Suppress Software Icon The 888 RAT hides its icon.
T1447 Delete Machine Knowledge The 888 RAT can delete gathered and short-term saved information and some other particular file.
Credential Entry T1411 Enter Immediate The 888 RAT tries to phish Fb credentials.
Discovery T1418 Software Discovery The 888 RAT obtains a listing of put in apps.
T1420 File and Listing Discovery The 888 RAT identifies content material of particular directories.
Assortment T1433 Entry Name Log The 888 RAT exfiltrates name log historical past.
T1430 Location Monitoring The 888 RAT retrieves machine location.
T1432 Entry Contact Checklist The 888 RAT exfiltrates the sufferer’s contact listing.
T1429 Seize Audio The 888 RAT can report audio from environment and calls.
T1512 Seize Digital camera The 888 RAT can take footage from the entrance or rear cameras.
T1412 Seize SMS Messages The 888 RAT can exfiltrate despatched and acquired SMS messages.
T1533 Knowledge from Native System The 888 RAT exfiltrates information with specific extensions from exterior media.
T1513 Display screen Seize The 888 RAT can take screenshots.
Command And Management T1509 Uncommonly Used Port The 888 RAT communicates with its C&C over port 4000.
Impression T1582 SMS Management The 888 RAT adversary can ship SMS messages.
T1447 Delete Machine Knowledge The 888 RAT can delete attacker-specified information from the machine.


Leave a Reply

Your email address will not be published. Required fields are marked *

Related Posts