The infamous Remote Access Trojans, SpyNote and Remcos is reported to have been actively exploited through Facebook pages tied to hackers resident in Libya, since 2014 to infect targeted systems, with the malware hidden in links posted by the pages.

While the crafty links were made very tempting to click, following claims that it contains leaked intelligence reports, like a page ran in the name of Libya’s national army commander, Khalifa Haftar, found to be the focal point for the spreading of the malware.

According to Check Point Researchers, the malware were hosted on public servers that include public providers like Dropbox and Google Drive, and not just one single page was responsible for spreading the malware — as it involves a network of different, but similar campaigns operating on numerous platforms.

Through the Khalifa Haftar Facebook page, the researchers were able to trace the malicious activities all the way to the attacker and also able to find out how they've been taking advantage of the social networking platforms, by compromising legitimate websites to host malware, and haven successfully made their way to thousands of victims mainly in Europe, the United States and Canada.

Albeit, the Facebook page impersonating Khalifa Haftar was created in April 2019, it has since managed to attract more than 11,000 followers, with the page sharing politically themed posts which include URLs to download files marketed as leaks from Libya’s intelligence units.

It is interesting to note that the attackers opted for open source tools and infected victims with known remote administration tools (RATs) such as Remcos, and SpyNote, often used in run-of-the-mill attacks. And there are over 40 unique malicious links employed by the attacker over the years, many of which were shared from the pages.

The connections between the pages and the URLs used in the different phases of the operations, shows that the malicious activities were highly intertwined as many of the links were spread by more than one page.

Facebook has again and again validated its perceived inability to contain malicious activities carried out via its platform, even though it has launched several program to tackle the menace. Admittedly, the social networking sites have become the bait of identity scams, a development which has engaged the better part of the security concerns over the past years, coupled with incessant privacy issues.

How Hackers are spreading Remote Access Trojans via Multiple Facebook Pages



The infamous Remote Access Trojans, SpyNote and Remcos is reported to have been actively exploited through Facebook pages tied to hackers resident in Libya, since 2014 to infect targeted systems, with the malware hidden in links posted by the pages.

While the crafty links were made very tempting to click, following claims that it contains leaked intelligence reports, like a page ran in the name of Libya’s national army commander, Khalifa Haftar, found to be the focal point for the spreading of the malware.

According to Check Point Researchers, the malware were hosted on public servers that include public providers like Dropbox and Google Drive, and not just one single page was responsible for spreading the malware — as it involves a network of different, but similar campaigns operating on numerous platforms.

Through the Khalifa Haftar Facebook page, the researchers were able to trace the malicious activities all the way to the attacker and also able to find out how they've been taking advantage of the social networking platforms, by compromising legitimate websites to host malware, and haven successfully made their way to thousands of victims mainly in Europe, the United States and Canada.

Albeit, the Facebook page impersonating Khalifa Haftar was created in April 2019, it has since managed to attract more than 11,000 followers, with the page sharing politically themed posts which include URLs to download files marketed as leaks from Libya’s intelligence units.

It is interesting to note that the attackers opted for open source tools and infected victims with known remote administration tools (RATs) such as Remcos, and SpyNote, often used in run-of-the-mill attacks. And there are over 40 unique malicious links employed by the attacker over the years, many of which were shared from the pages.

The connections between the pages and the URLs used in the different phases of the operations, shows that the malicious activities were highly intertwined as many of the links were spread by more than one page.

Facebook has again and again validated its perceived inability to contain malicious activities carried out via its platform, even though it has launched several program to tackle the menace. Admittedly, the social networking sites have become the bait of identity scams, a development which has engaged the better part of the security concerns over the past years, coupled with incessant privacy issues.

No comments