Threat Research

SilentSelfie: Exposing a Major Campaign Targeting Kurdish Websites

SekoiaIO

In early 2024, Sekoia TDR uncovered a large watering-hole campaign targeting Kurdish websites, deploying four variants of a malicious script that could steal location data, selfies, and even prompt APK installs. The campaign traces back to late 2022, shows low sophistication, and appears to involve an emerging threat actor not linked to known intrusion sets. #SilentSelfie #RojNews #Rojava #KurdishWebsites #RojNewsAPK

Keypoints

  • The Sekoia Threat Detection & Research team was alerted to a suspicious script on a Kurdish website in early 2024.
  • 25 Kurdish websites were found compromised by four distinct variants of the malicious script.
  • Variant 1 simply extracts the user’s location; Variant 4 prompts selected users to install a malicious Android APK.
  • The campaign began in late 2022 and remained active for over a year before being noticed.
  • No use of sophisticated techniques like zero-day exploits; indicators point to a lower level of sophistication.
  • The TTPs do not match known intrusion sets, suggesting an emerging, previously unknown activity cluster targeting the Kurdish community.

MITRE Techniques

  • [T1203] User Execution – Brief description of how it was used. Quote relevant content using bracket (‘…translated quote in English…’)
  • [T1003] Credential Dumping – Brief description of how it was used. Quote relevant content using bracket (‘…translated quote in English…’)
  • [T1219] Remote Access Software – Brief description of how it was used. Quote relevant content using bracket (‘…translated quote in English…’)
  • [T1213] Data from Information Repositories – Brief description of how it was used. Quote relevant content using bracket (‘…translated quote in English…’)

Indicators of Compromise

  • [Compromised Website] The Kurdish watering-hole ecosystem includes multiple sites such as orkesfm[.]com and rojnews[.]news, hosting four variant scripts used to gather intelligence.
  • [IP Address] 23.95.14[.]63, 170.75.161[.]102 — infrastructure used to funnel data from victims.
  • [Domain] webmail.onlinearuba[.]net, ronahi[.]video — domains involved in data exfiltration and token handling.
  • [File Hash] 7ff9e87f8c8ea10e6aa688c491c81283, 6c75d5f31fe386a1ec94b85cfb7f873b2e100062 — hashes associated with the RojNews APK variant.
  • [File Name] ms-menu.php, wo_cookie.php, wo_cookies.php — web server files referenced in the watering-hole chain.
  • [Yara Rule] apt_SilentSelfie_Rojnews_application_apk, apt_SilentSelfie_WateringHole_variant_one — detection rules tied to the campaign artifacts.

Read more: https://blog.sekoia.io/silentselfie-uncovering-a-major-watering-hole-campaign-against-kurdish-websites/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint