Facebook Removes Accounts That Spread Malware to Thousands of People
Links to Android and Windows-based malware caught the attention of the researcher when they found them in a Facebook post proposed as Marshal Khalifa Haftar, commander of the Libyan National Army. The false account, created in early April and with more than 11,000 subscribers, was supposed to publish documents showing countries such as Qatar and Turkey conspiring against Libya, as well as photos of captured pilots trying to bomb Tripoli. Another post promised to offer a mobile application allowing Libyans to join the country’s armed forces.
The post according to the security company Check Point, most links point to VBScripts, Windows script files and Android applications deemed dangerous. The products include a variant of the open source remote administration tools named Houdina, Remcos and SpyNote. Most of the tools are stored in file hosting services such as Google Drive, Dropbox and Box.
The false Haftar publication is interrupted by typos, spelling mistakes and grammatical errors. Spelling errors, in particular, provide Check Point researchers with a high degree of certainty that the content will be created by Arabic-speaking people, because translation engines that convert text from another language cannot generate quality language.
- Official Libya – 51,000
- Libya my people – 110.4k
- Crimes in Libya – 63.9k
- Emad-al-Trabilsi official page – 139.5k
- Dignity Urgent – 61.7k
It’s just the beginning
When looking for other sources that have made the same mistakes, the researchers found that more than 30 Facebook pages, some of which were active since 2014, broadcasting the same malicious links. The five most popular sites were followed by more than 422,000 Facebook accounts, as shown in the following chart:
The attacker used URL truncation services to generate links. In this way, Check Point researchers were able to determine how many times a given link was clicked and from which geographic area. Most links have had thousands of clicks, mostly from the moment the links were created and shared. The data also shows that Facebook pages were the most common source of links, indicating how they made use of social media as the medium for the campaign. In the meantime, most of the clicks came from Libya, although some affected machines were also in Europe, in the United States, and Canada.
Almost all malware tested during the five years were related to control servers and control drpc.duckdns [.] Org and libya-10 [.] Com [.] Ly. A search in Whois revealed that this last domain was registered for someone using the email address firstname.lastname@example.org. The same email address was used to register other domains, including dexter-ly.space and dexter-ly.com.
The name “Dexter Ly” led the researchers to another Facebook account. The new report repeats the same typographical errors than those found on previous pages, leading the researchers to assess with confidence that all the pages are the work of the same person or the same group. The newly discovered account also openly shared the details of the malicious campaign, including screenshots of areas where infected devices were managed.
Monday’s post revealed that Facebook had removed the pages and accounts after the Check Point investigators reported the campaign in private.
“These Pages and accounts violated our policies and we took them down after Check Point reported them to us,” Facebook officials said in a statement. We are continuing to invest heavily in technology to keep malicious activity off Facebook, and we encourage people to remain vigilant about clicking on suspicious links or downloading untrusted software.”
The statement does not explain why Facebook was not able to see the campaign itself.
“Although the set of tools which the attacker utilized is not advanced nor impressive per se, the use of tailored content, legitimate websites and highly active pages with many followers made it much easier to potentially infect thousands of victims,” the researchers wrote. “The sensitive material shared in the ‘Dexter Ly’ profile implies that the attacker has managed to infect high profile officials as well.”
Although the campaign was interrupted, its determination clearly shows how effective operations can be with modest resources.