Libyan hacker used Facebook platform to distribute trojans for years

Security experts uncovered Facebook accounts that pushed malware to tens of thousands of people for the past five years

The Facebook campaign delivered malware that accessed data of tens of thousands of users.

The Facebook platform was used to spread malware that helped hackers to access user sensitive data.^[1] This is one of the biggest malware campaigns that plagued Facebook social network, and, according to Check Point researchers, was active for the past five years.^[2]

A suspected Libyan hacker distributed malware across mobile and desktop devices and managed to access the private information of victims that got tricked into clicking the links and downloading files posted on fraudulent Facebook pages and groups.

Reportedly, the primary motivating factors of the malicious actor was financial gain, as well as political propaganda. The plot was firmly tight to Libya and its affairs, as victims were mainly from Libya and the campaign itself was based on fake news about the country.^[3]

Such news and topics appeared in various groups, on pages and profiles all over the social media and posts included messages, photos, hyperlinks, direct downloads of mobile applications, an also content offering to join armed forces. Nevertheless, the infections of malware were also spotted in the US, Europe, and China.

The malicious activity was spotted due to the fake account impersonating the commander of Libya's National Army, Field Marshal Khalifa Haftar. According to Operation Tripoli report, the account had more than 11 000 followers:

Our investigation started when we came across a Facebook page impersonating the commander of Libya’s National Army, Khalifa Haftar. Through this Facebook page we were able to trace this malicious activity all the way down to the attacker responsible for it and find out how they have been taking advantage of the social networking platform for years, compromising legitimate websites to host malware and, in the end, successfully made their way to tens of thousands of victims.

Malicious links automatically downloaded malware like Houdina, SpyNote, or Remcos

The fake Facebook posts that included links led victims to Windows Script, VBScripts, and malicious APKs, which would download and install malicious trojan payload once executed. Various open-source remote administration tools and other types of malware like Houdina, SpyNote, or Remcos were delivered. The latter was used in cyber attacks before, for example, the phishing attack^[4] in Iceland that we have reported on previously.^[5]

As soon as fraudulent Khalifa Haftar's account was spotted, the team began the investigation that revealed multiple other related fraudulent Facebook pages. Some of them were active since 2014, while others were created recently, in 2019. During this time, more than 130 000 people followed these malicious profiles.

Industry giant Facebook closely cooperated with the researchers to delete 40 Facebook pages that have tricked more than 50 000 people into installing Remote Access Trojans and other malware this year alone.

Sensitive Libya-themed posts lured people into giving access to their private details

Some of the malicious Facebook posts included photos of the pilot who tried to bomb the capital city of Tripoli, while others showed leaked reports from Libya's intelligence units. Trojan malware that was delivered through these links and download pages got access to peoples' photos, passport numbers, identity cards, and other personal information. Unfortunately, all the harvested data was later made public by hackers.

Users could, however, distinguish malicious posts based on grammar mistakes, typos, and other errors, which were common indicators that account was fake.^[6] Further investigation was based on tracking these spelling and grammatical mistakes on various accounts that researchers found in almost every post. Unique spelling and translating errors were the ones that helped to determine that the possible hacker is Arabic, as the blog post stated:

Those spelling mistakes are not ones that can be generated by online translation engines, and can indicate that the text was written by an Arabic speaker.