Cybercriminals exploited Facebook for years to distribute Remote Access Trojans

• New research reveals that a large-scale campaign was underway for years that leveraged Facebook pages to spread malware.
• Attackers distributed popular remote access trojans such as Houdini, Remcos, and SpyNote through malicious links in these pages.

A large-scale campaign that used Facebook pages to spread malware has come to light recently. Experts from the Check Point Research team came across this campaign which is reported to have existed since at least 2014. The attackers mainly targeted victims from Libya as well as from Europe, the US, and China. Remote access trojans (RATs) such as Houdini, Remcos, and SpyNote were extensively used to compromise target machines.

The big picture

• The threat actors relied on Libya’s political unrest to lure victims into downloading malware from malicious links posted on several Facebook pages.
• One of the pages that impersonated Libyan National Army chief Khalifa Haftar, contained links to malicious VBE, WSF (for Windows systems), and APK (for Android devices) files that dropped malware upon downloading.
• The malware included mainly RATs such as Houdini, Remcos, and SpyNote, among others.
• Check Point Research found over 30 Facebook pages spreading links with malware since 2014.
• Some of the pages had more than 100,000 followers.
• These pages shared more than 40 malicious links altogether since its inception.
• Furthermore, attackers compromised some legitimate websites including a Russian site, an Israeli site, and a Moroccan news site.

Who were the targets?

Check Point experts suggest that the attackers mainly had Libyans as targets in mind. However, there were victims from Europe, the US, and Canada as well.

“The pages deal with different topics but the one thing they have in common is the target audience that they seem to be after: Libyans. Some of the pages impersonate important Libyan figures and leaders, others are supportive of certain political campaigns or military operations in the country, and the majority are news pages from cities such as Tripoli or Benghazi,” the researchers wrote in their blog.