According to a brand new research, Facebook has been leveraged for years to spread Trojans in the likes of Houdini, Remcos, and Spynote. All of the threats allow remote access and could spy on users’ activities.
Check Point researchers revealed a large-scale campaign dubbed Tripoli that took advantage of Facebook to distribute remote access Trojans since at least 2014. The campaign targeted primarily victims from Libya, Europe, the United States, and China. The Trojans were spread with the help of malicious links in pages.
It seems that the tense political situation in Libya is useful to some, who use it to lure victims into clicking links and downloading files that are supposed to inform about the latest airstrike in the country, or the capturing of terrorists, but instead contain malware, Check Point wrote.
Researchers Discovered a Facebook Page Impersonating Khalifa Haftar
The researchers’ investigation was initiated when they came across a Facebook page impersonating the commander of Libya’s National Army, Khalifa Haftar, who has had major roles as a military leader in the country’s ongoing civil war.
The Facebook page impersonated Haftar and was created at the beginning of April 2019. It successfully managed to recruit more than 11,000 followers. Moreover, the page shared politically-themed posts and included URLs to download files that supposedly contained leaks from Libya’s intelligence units.
The description in the posts claims that those leaks contain documents exposing countries such as Qatar or Turkey conspiring against Libya, or photos of a captured pilot that tried to bomb the capital city of Tripoli. Some of the URLs were even supposed to lead to mobile applications that are intended for citizens interested in joining the Libyan armed forces.
Tracing this page, the researchers not only got to the attacker who was responsible for it but also determined that the campaign has been going on for years. This means that countless legitimate websites were compromised to host malware and successfully infected thousands of victims withHoudini, Remcos, or Spynote remote access Trojans.
Fortunately, Facebook took down the compromised pages and the accounts that were behind the malicious distribution.