Facebook has been exploited to act as a distribution platform for a set of Remote Access Trojans (RATs) for years, researchers say.
According to Check Point Research, a "large-scale" campaign has been operating under Facebook's radar since at least 2014 throughout a campaign related to politics in Libya.
The aim of the operation has been to spread RATs including Houdini, Remcos, and SpyNote. Tens of thousands of victims from Libya, Europe, the US, and China are believed to have been compromised.
The threat actor behind the campaign has used the political turmoil in Libya to their advantage. Libya's National Army commander, Khalifa Haftar, has been impersonated for years and a page apparently operated by the public figure was actually a central point for the distribution of malware.
The page impersonating Haftar was created in April 2019 and has since attracted over 11,000 followers. Posts were shared with political themes and links claiming to share leaked intelligence reports and material, but if someone interested in Libyan politics clicked on the URLs, they would instead be sent to malicious content.
Malicious VBE and WSF files for Windows machines, as well as malware-laden APK files for the mobile Android operating system, would then be downloaded and upon execution would install a Trojan.
The malware was hosted on public services including Google Drive, Box, and Dropbox.
Check Point says that the discovery of this single page revealed a web of other pages, groups, and accounts both on and off the social networking platform to spread malware.
Over 30 Facebook pages have been spreading approximately 40 malicious links since 2014 and one of them has managed to secure a substantial following with over 100,000 users. The researchers note that it is possible the threat actor behind the malware spread may have seized control of some of the most popular pages from their original owners.
In order to avoid any suspicion, the pages in question would also publish legitimate content, most commonly related to news in Libya. Occasionally, other content -- such as download links to fake applications for watching football matches for free or malicious VPN services -- would also be released.
Check Point traced the attacker through a command-and-control (C2) server used to host and share malicious payloads and eventually came across "Dexter Ly," an avatar and Facebook account which the team says is likely the campaign operator.
Clues in typographical errors and shared posts led the researchers to forge the connection with "high confidence."
Dexter Ly appears to have been involved in cyberattacks designed to steal confidential information relating to Libya in the past, including emails between government officials and passport data. The attacker is also believed to have been part of OpSyria, a campaign launched against Libyan officials by Anonymous.
While the campaign is focused on Libya, the team does not believe any strong element of hacktivism is presently in play; rather, the topics were chosen mainly to spread malware.
"Although the attacker does not endorse a political party or any of the conflicting sides in Libya, their actions do seem to be motivated by political events," Check Point says. "This might mean that the attacker is after certain individuals within the larger crowd."
Check Point made Facebook aware of its findings into this vast campaign and the connected pages and accounts have since been removed.
A Facebook spokesperson told ZDNet:
"These Pages and accounts violated our policies and we took them down after Check Point reported them to us. We are continuing to invest heavily in technology to keep malicious activity off Facebook, and we encourage people to remain vigilant about clicking on suspicious links or downloading untrusted software."
Previous and related coverage
- New Dridex malware strain avoids antivirus software detection
- Cirque du Soleil app gives attackers same admin rights as operators
- Ads on popular YouTube to MP3 converter service poisoned with exploit kit, ransomware
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0