A widespread malware campaign, ongoing since 2014, was using Facebook accounts and posts to spread malware through URL links.

Facebook has shut down more than 30 accounts spreading malware through malicious links that purport to be news about the ongoing political situation in Libya. The campaign, ongoing since 2014, has infected tens of thousands of victims with remote access trojans (RATs), according to researchers.

The campaign, dubbed “Operation Tripoli,” took advantage of the political situation in Libya to lure victims into clicking links that claimed to be Libya-related news. The links purported to be information about news like the latest airstrike in the country or the capturing of terrorists, but instead, contained malware. It’s important to note that Facebook itself wasn’t breached – however, the hack points to how social media platforms can be abused to launch malware attacks, researchers said.

“Although the set of tools which the attacker utilized is not advanced nor impressive per se, the use of tailored content, legitimate websites and highly active pages with many followers made it much easier to potentially infect thousands of victims,” said Check Point researchers in a Monday analysis of the campaign. “The sensitive material shared in the ‘Dexter Ly’ profile implies that the attacker has managed to infect high profile officials as well.”

The campaign successfully infected tens of thousands of victims mainly from Libya, but also in Europe, the United States and Canada said researchers. Facebook has since shut down the pages and accounts that were distributing the malware as part of the campaign.

The Campaign

Researchers said that they first spotted the campaign after coming across a Facebook page impersonating the commander of Libya’s National Army, Khalifa Haftar, who is a prominent figure in Libya’s political arena. The page, created April 2019, has more than 11,000 followers, and shares post with political themes.

These posts include URLs to download files marketed as leaks from Libya’s intelligence units – but in reality the links lead to websites that ultimately attempted to download remote access trojans (RATs) Houdini, Remcos and SpyNote.

“The description in the posts claims that those leaks contain documents exposing countries such as Qatar or Turkey conspiring against Libya, or photos of a captured pilot that tried to bomb the capital city of Tripoli,” said researchers. “But instead of the promised content in the posts, the links would download malicious VBE or WSF files for Windows environments, and APK files for Android.”

Researchers estimate the 30 Facebook accounts have been spreading malicious links since at least 2014 – some of which are extremely popular and are followed by more than 100,000 users.

“The pages deal with different topics but the one thing they have in common is the target audience that they seem to be after: Libyans,” said researchers. “Some of the pages impersonate important Libyan figures and leaders, others are supportive of certain political campaigns or military operations in the country, and the majority are news pages from cities such as Tripoli or Benghazi.”

Researchers said that the malicious samples would usually be stored in file hosting services such as Google Drive, Dropbox, Box and more. While most of the malicious files were stored in services such as Google Drive, sometimes the attacker would compromise legitimate websites and host malicious files on them, including a Russian website, an Israeli website, and a Moroccan news website.

Researchers also noted that warning signs did exist in the Facebook pages that were part of the campaign: For instance, the attacker made a slew of grammatical and Arabic spelling errors in posts.

The Attacker

Researchers tracked down the command and control (C2) server behind the applications and VBE scripts (encoded Visual Basic Script file extension) shared by the Facebook page they found. The domain of the server was drpc.duckdns[.]org and resolved to an IP address linked to another website: libya-10[.]com[.]ly. From there, researchers found that someone under the alias “Dexter Ly,” was registered to both the domains. They assessed “with high confidence” that this was the main threat actor behind the campaign.

“Although the attacker does not endorse a political party or any of the conflicting sides in Libya, their actions do seem to be motivated by political events,” researchers said. “This is juxtaposed with the constant targeting of Libyan victims but might mean that the attacker is after certain individuals within the larger crowd.”

Malicious Content on Facebook

While the accounts linked to the campaign have since been removed, researchers said that the incident shows how more bad actors are turning to social media to spread malware.

In May 2018, a malware campaign was found rapidly spreading via Facebook and infecting victims’ systems to steal their social media credentials and download cryptomining code. And in December 2018, researchers identified a new type of malware that receives instructions via hidden code embedded in memes posted to Twitter.

Despite that, Facebook is looking to crack down on malicious content, including political influence campaigns, malware-laced links and more.

“These Pages and accounts violated our policies and we took them down after Check Point reported them to us,” a Facebook spokesperson told Threatpost. “We are continuing to invest heavily in technology to keep malicious activity off Facebook, and we encourage people to remain vigilant about clicking on suspicious links or downloading untrusted software.”