Threat actors are increasingly exploiting websites to carry out various cyberattacks, and they do so by leveraging vulnerabilities in web applications and user behavior.
While the most common tactics are phishing, where attackers deceive users into revealing sensitive information, and drive-by downloads, which infect systems without user consent when visiting compromised sites.
Sekoia researchers recently found a malicious campaign in which threat actors have exploited 25 websites to deploy a malicious Android application and this campaign is dubbed “SilentSelfie.”
SilentSelfie Exploited 25 Websites
In early 2024, cyber security researchers at the Threat Detection & Research team of Sekoia discovered a sophisticated cyber espionage campaign targeting “Kurdish communities.”
In total 25 compromised websites were identified that were employing four variants of malicious “JavaScript code” to gather intelligence.
Free Webinar on How to Protect Small Businesses Against Advanced Cyberthreats -> Free Registration
These scripts ranged from simple location trackers to complex frameworks. These malicious tools accessed users’ selfie cameras and redirected selected targets to install a malicious “APK.”
This sophisticated campaign, “SilentSelfie” has been active since late 2022. It has used “watering hole attacks” and “a covert Android app” masquerading as a ‘news application.’
To collect system information, contacts, and files, this app beaconed user locations and executed commands with the help of a hidden “LocationHelper” service, Sekoia added.
Here to hide their code, the attackers used obfuscation techniques like Obfuscator.io and ProGuard. Apart from this, they also used WebRTC for IP address discovery and cookies for user tracking.
The compromised web servers and dedicated attacker-controlled servers are the two key elements that are included in the infrastructure of the campaign. Now here to evade detection, the communication occurs via PHP scripts.
The attacks were attributed to groups like StrongPity, but the TTPs of this campaign didn’t match known threat actors.
This scenario shows the possible emergence of a previously unidentified APT group targeting Kurdish interests.
21 Kurdish websites were targeted by a “watering hole” campaign across various sectors like ‘media outlets,’ ‘political organizations,’ and ‘militant groups.’
The compromised websites were primarily associated with “Rojava” (North-East Syria), “YPG forces,” and “far-left Turkish-Kurdish political entities.”
The attack utilized malicious JavaScript injections to create fake update prompts through which they trick visitors into downloading compromised Android apps, and then make them grant ‘camera’ and ‘GPS’ permissions.
While these apps and the permissions were exploited by the threat actors to exfiltrate sensitive data (precise location coordinates and facial images).
Moreover, the campaign remained undetected for over 18 months despite multiple on-screen notifications.
While it is not easy to attribute, the culprits include Turkish intelligence services, Syrian government agencies, and the Kurdistan Regional Government of Iraq. Besides this, Iran and Russia as less likely candidates.
The simplistic nature of the incidents like the use of basic obfuscation methods and no use of complex malware suggests the involvement of an emerging threat actor or the one with limited capabilities.
Notable compromised sites included ‘RojNews,’ ‘YPG Rojava,’ and websites affiliated with ‘DHKP-C’ and ‘PAJK.’
The broad scope and duration of the campaign show the ongoing cyber threats faced by “Kurdish organizations” and the need for enhanced security measures in the region.
Analyse Any Suspicious Links Using ANY.RUN’s New Safe Browsing Tool: Try It for Free