Check Point Research recently came across a large-scale campaign using Facebook pages to spread malware for mobile and desktop environments for years, with one target country in mind: Libya.
It seems that the tense political situation in Libya is useful to some, who use it to lure victims into clicking links and downloading files that are supposed to inform about the latest airstrike in the country, or the capturing of terrorists, but instead contain malware.
Check Point investigation started when they came across a Facebook page impersonating the commander of Libya’s National Army, Khalifa Haftar. In addition to being a Field Marshal, Haftar is a prominent figure in Libya’s political arena and has had major roles as a military leader in the country’s ongoing civil war.
Through this Facebook page, Check Point was able to trace this malicious activity all the way down to the attacker responsible for it, and find out how they have been taking advantage of the social networking platform for years, compromising legitimate websites to host malware, and at the end, successfully making their way to tens of thousands of victims mainly from Libya but also in Europe, the United States and Canada.
Based on information Check Point shared, Facebook took down the pages and accounts that distributed the malicious artifacts belonging to this operation.
In the Name of Haftar
The Facebook page impersonating Khalifa Haftar was created at the beginning of April 2019, and has since managed to recruit more than 11,000 followers. The page shares posts which have political themes, and include URLs to download files marketed as leaks from Libya’s intelligence units.
The description in the posts claims that those leaks contain documents exposing countries such as Qatar or Turkey conspiring against Libya, or photos of a captured pilot that tried to bomb the capital city of Tripoli.
Some of the URLs were even supposed to lead to mobile applications that are intended for citizens interested in joining the Libyan armed forces:
But instead of the promised content in the posts, the links would download malicious VBE or WSF files for Windows environments, and APK files for Android.
The threat actor opted for open source tools instead of developing their own, and infected the victims with known remote administration tools (RATs) such as Houdini, Remcos, and SpyNote, which are often used in run-of-the-mill attacks.
Grammatical Mistakes and Giveaways
Another warning sign about the legitimacy of the page was the amount of grammatical mistakes that were found in almost every post. Haftar’s name was not the only thing misspelled in the Facebook page, as the posts included many misspelled words, missing letters and repeated typos in Arabic.
Most of those mistakes are repetitive, and some of the posts use words which do not exist in Arabic, because the originally intended ones are missing certain letters (for example “Pove” instead of “Prove”). Those spelling mistakes are not ones that can be generated by online translation engines, and can indicate that the text was written by an Arabic speaker.
Looking up some combinations of the incorrect phrasing led us to numerous posts across a network of Facebook pages that repeat the same unique mistakes. Those pages appeared to be operated by the same threat actor, and they revealed an ongoing widespread operation that has been after Libyans and people who are interested in Libya’s politics for years.
By looking up the unique mistakes, Check Point was able to find more than 30 Facebook pages that have been spreading malicious links since at least 2014. Some of those pages are extremely popular, have been active for many years, and are followed by more than 100K users.
In total, there are more than 40 unique malicious links used by the attacker over the years, which were shared in those pages.