SilentSelfie (Infostealer) – Malware

Overview

In early 2024, a sophisticated cyber espionage campaign, named SilentSelfie, was uncovered, revealing a widespread watering hole attack against Kurdish websites. This campaign, which had been running undetected for over a year, involved the compromise of 25 Kurdish websites with the aim of harvesting sensitive data from unsuspecting users. The attackers used a series of malicious scripts embedded within these websites to carry out reconnaissance and surveillance activities, targeting users with specific characteristics. The scripts ranged from simple geolocation tracking to more advanced techniques, such as activating users’ webcams and redirecting them to malicious APK downloads. Despite the lack of high-level exploits like zero-day vulnerabilities, the scale and persistence of the attack make it a notable example of how cyber attackers can leverage common web technologies for long-term surveillance.

What makes SilentSelfie particularly alarming is the scale of the operation and the subtlety of its tactics. The first signs of the attack date back to the end of 2022, yet it remained largely unnoticed until early 2024. The attackers took advantage of trusted websites within the Kurdish community to quietly deploy their malicious scripts, which were designed to run automatically when users visited compromised pages. Over time, these scripts became increasingly sophisticated, moving from simple location-tracking mechanisms to more complex forms of surveillance, such as webcam image capture and device profiling. The attack was well-orchestrated, with different variants of the malicious code being deployed across multiple websites, making detection and mitigation efforts more difficult.

Targets

Individuals

Information

How they operate

The campaign began with a relatively simple form of data collection, involving the location-tracking of website visitors. The initial variant, identified on seventeen different websites, used a minimalistic JavaScript script to collect a user’s geographical location upon page load. When a user accessed a compromised website, the script called the gL() (getLocation) function, which prompted the browser to retrieve and share the user’s location. The obtained data was then sent to a PHP script hosted on the compromised website’s server. This form of data collection was passive, relying on users’ willingness to grant location permissions and was designed to blend into the normal browsing experience.

As the campaign evolved, the attackers deployed more complex versions of the script. One of the key upgrades involved adding a tracking mechanism that stored a unique cookie on the victim’s device. This cookie, named sessionIdVal, allowed the attackers to track the same user across different visits to compromised websites for an extended period. The cookie was associated with a PHP script hosted on a third-party domain, ronahi[.]video, which enabled the attackers to gather users’ IP addresses and link them to specific locations. By tracking visitors over multiple browsing sessions, the attackers were able to create detailed profiles of their targets, which could be used for further surveillance or intelligence gathering.

The most sophisticated variant, which appeared later in the campaign, introduced browser configuration checks and webcam access. This version of the script was capable of detecting whether a user was visiting the site via a mobile device such as an iPhone, iPad, or Android phone. Once the user was identified as a target, the script retrieved not only the user’s geolocation but also other device information, including local IP address, battery status, screen resolution, and the device’s network connection. A significant escalation came when the script used the navigator.mediaDevices.getUserMedia() API to access the user’s selfie camera. This allowed the attackers to capture images from the user’s webcam without explicit consent, a violation of basic privacy standards. These images were encoded in Base64 and transmitted to the attacker’s server, further building the target’s profile.

In addition to this, the script used the WebRTC protocol to retrieve the user’s local IP address and the navigator API to gather data on the device’s battery status and other system details. After collecting this information, it would send everything—including the webcam images—back to the PHP script for storage and further analysis. For the most advanced attack stages, the attackers also redirected selected users to download a malicious APK file. This Android application posed a threat by potentially compromising the victim’s device, enabling further exploitation.

Despite the absence of zero-day vulnerabilities, the SilentSelfie campaign exhibited a high degree of technical sophistication, with attackers utilizing a blend of browser features and social engineering tactics. They avoided detection by using obfuscation tools like Obfuscator.io to hide the script’s true nature and to make it harder for security systems to analyze the malicious code. The attackers also demonstrated persistence by repeatedly updating the malicious scripts and keeping them active across multiple Kurdish websites. This multi-stage, low-profile attack strategy allowed the campaign to collect intelligence over an extended period, likely for geopolitical or intelligence-gathering purposes.

In conclusion, the SilentSelfie campaign provides a troubling example of how cyber attackers can utilize basic web technologies to conduct highly targeted surveillance on specific user groups. The attackers relied on a series of increasingly complex malicious scripts to gather geolocation data, track user activity across different websites, and even capture webcam images from unsuspecting victims. The operation’s success highlights the need for increased awareness and vigilance regarding web-based threats, particularly those targeting minority communities and vulnerable populations. As web technologies evolve, so too will the tactics used by cyber attackers, making it imperative for both users and website owners to adopt stronger security practices to defend against such sophisticated espionage campaigns.

References:

• SilentSelfie: Uncovering a major watering hole campaign against Kurdish websites