Research from Check Point has shown that this "large-scale" hacking campaign is related to political issues in Libya.
Ο the campaign's goal was to spread RAT, and especially Houdini, Remcos and SpyNote. According to the researchers, the victims came mainly from Libya, Europe, the USA and China. It is estimated that tens of thousands of systems have been affected.
The hacker, behind the campaign, used the political upheaval in Libya for their benefit. The hacker handled a Facebook page, supposedly belonging to the commander of the Libyan National Army, Khalifa Haftar, and, through it, spread the maliciously software.
The page, created in April of 2019, was very convincing, with the result that it has attracted over 11.000 fans of Haftar. The posts, which went up on the page, usually had political content and contained links with reports and material allegedly leaked and related to Libyan issues. In fact, if someone opened the links, they were leading to malicious content.
Opening the links resulted in malicious VBE and WSF files for Windows computers and malicious software APKs for the operating system system Android. Execution of the malicious files led, in turn, to the installation Trojan.
The malicious program was hosted in public services such as Google Drive, Box, and Dropbox.
After discovering this page, many other pages, groups and accounts both inside and outside Facebook, which were also used to distribute malicious software.
On Facebook, there were over 30 pages, which have shared about 40 malicious links, from 2014. Indeed, one of these has influenced over 100.000 users.
Researchers believe the attacker may have taken control of some popular, legitimate pages and used them for his benefit.
To avoid suspicion, the hacker may also publish legitimate content about Libya's news. Between the legitimate content there will be links that lead to false applications and malicious services.
Researchers spotted the attacker through a command-and-control server (C2), which hosted and shared malicious payloads. This led to "Dexter Ly", a Facebook account owned by the hacker.
Dexter Ly appears to have participated in other attacks aimed at stealing confidential information about Libya.
"Although the attacker does not support a political party or any of the opposing sides in Libya, his actions appear to be motivated by political events," the investigators said. "This may mean that the attacker is targeting specific individuals."
Researchers informed Facebook about their findings and the platform removed all relevant pages and accounts.
A Facebook spokesman said:
“These pages and accounts violated our policies, so we removed them after the Check Point researchers reported. We try to keep malicious activity away from Facebook and encourage people to stay alert and not click suspicious links. "