Facebook has been a favored platform for attackers wishing to target specific groups of people for many years now, and though the company has made moves to rein in malicious activity on the platform, threat actors are always finding nooks and crannies to hide in. A recent campaign--discovered by researchers and dismantled--pushing Windows and Android malware through a network of Facebook pages targeting users in Libya shows how simple it can be in some cases for attackers to push their wares on vulnerable users.
The malware campaign employed an extensive network of Facebook pages and other resources, some of which were set up in the name of a prominent Lbyan military figure, Khalifa Haftar, the commander of the Libyan army. Researchers at Check Point discovered a Facebook page purporting to be operated by Haftar that was created in April. The page had more than 11,000 followers and published posts that included links, supposedly to leaked intelligence material. Those links actually led to downloads for malware targeting Android devices or Windows machines.
“The threat actor opted for open source tools instead of developing their own, and infected the victims with known remote administration tools (RATs) such as Houdini, Remcos, and SpyNote, which are often used in run-of-the-mill attacks,” Check Point’s analysis says.
“In our case, the malicious samples would usually be stored in file hosting services such as Google Drive, Dropbox, Box and more.”
The researchers discovered a pattern of grammatical errors and misspellings in the Facebook posts as well as on a blog that used Haftar’s name. The errors displayed a specific group of mistakes, and the Check Point team was able to identify more than 30 other Facebook pages with some of the same content that also were spreading the links leading to malware. All of the pages had content targeting Libyans.
“Looking at the activity over the years, it seems that the threat actor gained access to some of the pages after they were created and operated by the original owners for a while (perhaps by compromising a device belonging to one of the administrators). The pages deal with different topics but the one thing they have in common is the target audience that they seem to be after: Libyans. Some of the pages impersonate important Libyan figures and leaders, others are supportive of certain political campaigns or military operations in the country, and the majority are news pages from cities such as Tripoli or Benghaz,” Check Point’s analysis says.
“In total, there are more than 40 unique malicious links used by the attacker over the years, which were shared in those pages. When visualizing the connections between the pages and the URLs used in different phases of this operation, we found that the malicious activity was highly intertwined as many of the links were spread by more than one page.”
The malware campaign carried on for several years and the researchers were able to determine that some of the malicious links were clicked several thousand times each. The attackers also utilized some compromised websites in Morocco and Russia, as well as the site of a Libyan mobile carrier, to hose the malware they were delivering. All of the malware samples used the same command-and-control server and the Check Point researchers were able to dig into the WHOIS records and other information to find an email address and a personal Facebook page that appear to belong the attacker behind the campaign, who used the handle Dexter Ly.
“This account repeated the same typos that we have observed in the involved pages, enabling us to assess with high confidence that this is the same person that wrote the posts’ content. The account also openly shared almost every aspect of this malicious activity, including screenshots from the panels where the victims were managed,” Check Point’s analysis says.
“The attacker shared sensitive information they were able to get their hands on from infecting victims. This included secret documents belonging to Libya’s government, exchanged e-mails, phone numbers belonging to officials and even pictures of the officials’ passports.”
Check Point’s team shared its findings with Facebook security officials, who were able to take down the pages involved in the campaign.