Facebook Takes Down Pages Loaded With MalwareCampaign Targeted Those Interested in Libyan Politics
Malicious actors are increasingly using social media platforms to spread malware to unsuspecting victims.
In the latest case, Facebook removed more than 30 pages from its platform after security analysts with Check Point Research found that a hacker created fake pages about Libyan politics and took over other pages related to Libya, then loaded all those pages with malware. The hacker apparently was attempting to steal data as well as conduct espionage, researchers say.
This campaign, dubbed "Operation Tripoli," was first discovered earlier this year, but it appears to have started as early as 2014, according to a Check Point blog posted this week.
The Check Point researchers tracked the campaign to an actor calling himself "Dexter Ly," who appears to have favored using off-the-shelf, open source remote access Trojans, such as Houdini, Remcos and SpyNote, to infect victims who clicked on links embedded in real and fake Facebook pages. The phony pages, with names such as "Official Libya," "Libya My People," and "Crimes in Libya," contained a mix of fact and fiction about the ongoing civil war and political situation in Libya, written in English and Arabic, according to Check Point.
Some of the fake links used in these Facebook pages purported to contain sensitive government documents related to the upheaval in Libya as well as news from around the country, according to Check Point.
Although the ultimate goal of this campaign is not clear, Dexter Ly appears to have combined stealing user data for financial gain with nation-state espionage, Lotem Finkelsteen, the threat intelligence group manager for Check Point, tells Information Security Media Group.
"The extent of the campaign and the nature of the off-the-shelf info stealers used in these attacks teach us that Dexter Ly was after credentials for online services and personal documents - classic e-crime," Finkelsteen says. "However, his bragging about high-profile victims and his access to top-secret documents of the Libyan government and diplomacy teaches us that he was also very interested in collecting sensitive information that can be associated with traditional espionage campaigns."
Fake Facebook Accounts
The investigation of Operation Tripoli started earlier this year after Check Point researchers stumbled across a fake Facebook page for Khalifa Haftar, commander of Libya's National Army. At the time, the account, which was created in April, had about 11,000 followers.
The real Haftar is deeply involved in the country's ongoing civil war and day-to-day politics, but the fake Facebook page that Check Point researchers found contained numerous misspellings and grammatical mistakes as well as links to what was advertised as secret government documents and other information, including phony applications to join the Libyan army.
The Check Point analysis of the campaign found malicious Visual Basic Editor or Windows Script File files for Windows machines, or Android Package files for Android users, which would download the various Trojans that the attacker used during his five-year campaign.
In most cases, the actor would store malicious samples in cloud-storage files such as Google Drive, Dropbox, Box and others for use on the fake Facebook pages. At other points, however, Dexter Ly took over legitimate websites and legitimate Facebook pages that had an interest in Libyan current affairs and spread malware from there, Check Point found.
By examining the various mistakes and language used on the fake Haftar page, Check Point researchers found the other Facebook pages associated with the Dexter Ly persona. The research also showed how the actor would post new articles and other items to give each page a fresh and updated look to keep users coming back.
These Facebook pages had about 100,000 users over the course of the last five years, according to Check Point.
After conducting its research, Check Point contacted Facebook, which has since pulled down all the pages and is investigating, a Facebook spokesperson tells ISMG.
"These pages and accounts violated our policies, and we took them down after Check Point reported them to us," the Facebook spokesperson says. "We are continuing to invest in technology to keep malicious activity off Facebook, and we encourage people to remain vigilant about clicking on suspicious links or downloading untrusted software."
Although the main targets for this campaign were Libyans, the Check Point research showed that the Trojans were downloaded by Facebook users in the U.S., Canada and Europe, according to the blog. Because the person behind the campaign used link shortening services, it's impossible to estimate how many users clicked the links - and not every click created a malicious download, Check Point says.
As part of the research, Check Point also located the command-and-control server used by Dexter Ly by tracing back some of the Visual Basic Script file extensions. The command and control server, dubbed "drpc.duckdns[.]org" led to another website called "libya-10[.]com[.]ly."
It's through these addresses that researchers found a site and a Facebook page registered to the Dexter Ly persona, who appears to be from Libya, according to Check Point. The researchers also found documents and screenshots from the victims, the blog says.
This episode is just the latest to show how attackers are using social media to help spread malware as part of campaigns.
In May, for example, Facebook issued a warning to users of its WhatsApp messaging app to apply an update to fix a flaw that was being used to remotely install surveillance software (see: Attackers Exploit WhatsApp Flaw to Auto-Install Spyware).
Check Point's Finkelsteen says the lure of using social media as part of an ongoing malicious campaign is obvious: A minimal effort can pay great dividends for attackers.
He notes, however, that Facebook and other social platforms are getting better at taking down infected pages faster.
"There are many attempts to use social networks to spread malware; it is just a natural development of the cyber threat landscape,” Finkelsteen says.