Operation TripoliJuly 1, 2019
Check Point Research recently came across a large-scale campaign that for years was using Facebook pages to spread malware across mobile and desktop environments, with one target country in mind: Libya.
It seems that the tense political situation in Libya is useful to some, who use it to lure victims into clicking links and downloading files that are supposed to inform about the latest airstrike in the country, or the capturing of terrorists, but instead contain malware.
Our investigation started when we came across a Facebook page impersonating the commander of Libya’s National Army, Khalifa Haftar. In addition to being a Field Marshal, Haftar is a prominent figure in Libya’s political arena and has had major roles as a military leader in the country’s ongoing civil war.
Through this Facebook page we were able to trace this malicious activity all the way down to the attacker responsible for it and find out how they have been taking advantage of the social networking platform for years, compromising legitimate websites to host malware and, in the end, successfully made their way to tens of thousands of victims mainly from Libya, but also in Europe, the United States and Canada.
Based on information we shared, Facebook took down the pages and accounts that distributed the malicious artifacts belonging to this operation.
In the Name of Haftar
The Facebook page impersonating Khalifa Haftar was created at the beginning of April 2019, and has since managed to recruit more than 11,000 followers. The page shares posts which have political themes, and include URLs to download files marketed as leaks from Libya’s intelligence units.
The description in the posts claims that those leaks contain documents exposing countries such as Qatar or Turkey conspiring against Libya, or photos of a captured pilot that tried to bomb the capital city of Tripoli.
Some of the URLs were even supposed to lead to mobile applications that are intended for citizens interested in joining the Libyan armed forces:
But instead of the promised content in the posts, the links would download malicious VBE or WSF files for Windows environments, and APK files for Android.
The threat actor opted for open source tools instead of developing their own, and infected the victims with known remote administration tools (RATs) such as Houdini, Remcos, and SpyNote, which are often used in run-of-the-mill attacks.
In our case, the malicious samples would usually be stored in file hosting services such as Google Drive, Dropbox, Box and more.
Outside of Facebook
The username in the page’s web address (@kalifhafatr) misspells Haftar’s name, and looking it up online leads to a Blogger account with the same name. This account has been active since 2015, and manages multiple blog pages:
The most recent blog published by this account also uses Haftar’s name and downloads a malicious VBE automatically when accessed:
Grammatical Mistakes and Giveaways
Another warning sign about the legitimacy of the page was the amount of grammatical mistakes that were found in almost every post. Haftar’s name was not the only thing misspelled in the Facebook page, as the posts included many misspelled words, missing letters and repeated typos in Arabic. Below is one of the posts from the page, with all of the grammatical mistakes highlighted:
Most of those mistakes are repetitive, and some of the posts use words which do not exist in Arabic, because the originally intended ones are missing certain letters (for example “Pove” instead of “Prove”). Those spelling mistakes are not ones that can be generated by online translation engines, and can indicate that the text was written by an Arabic speaker.
Looking up some combinations of the incorrect phrasing led us to numerous posts across a network of Facebook pages that repeat the same unique mistakes. Those pages appeared to be operated by the same threat actor, and they revealed an ongoing widespread operation that has been after Libyans and people who are interested in Libya’s politics for years.
A Wide Network of Facebook Pages
By looking up the unique mistakes, we were able to find more than 30 Facebook pages that have been spreading malicious links since at least 2014. Some of those pages are extremely popular, have been active for many years, and are followed by more than 100K users. Below are the five most popular Facebook pages that used in this attack, and the amount of followers each one has:
Looking at the activity over the years, it seems that the threat actor gained access to some of the pages after they were created and operated by the original owners for a while (perhaps by compromising a device belonging to one of the administrators).
The pages deal with different topics but the one thing they have in common is the target audience that they seem to be after: Libyans. Some of the pages impersonate important Libyan figures and leaders, others are supportive of certain political campaigns or military operations in the country, and the majority are news pages from cities such as Tripoli or Benghazi.
In total, there are more than 40 unique malicious links used by the attacker over the years, which were shared in those pages. When visualizing the connections between the pages and the URLs used in different phases of this operation, we found that the malicious activity was highly intertwined as many of the links were spread by more than one page:
Since the attacker used URL shortening services (bit.ly, goo.gl, tinyurl, etc.), we could tell how many people exactly clicked on each link. In certain cases, we were even able to see which country those users came from, and which environment they used. The majority of the URLs had thousands of clicks, mostly around the time they were created and shared:
The referrers to these URLs are mainly domains that belong to Facebook, which can indicate that the social network is the most common infection vector used in this attack:
Although a click does not mean a successful infection, it did support our suspicion regarding the targeting of this campaign and confirmed that most of the affected users were indeed from Libya; however, there were victims from Europe, the U.S. and Canada as well. The following screenshot shows the statistics from one link which was clicked approximately 6,500 times, 5,120 out of which came from Libya:
Libyan Politics 101
To engage the followers and not arouse their suspicion by sharing malicious links only, the pages would also publish updates about the most recent events in Libya. Similarly to the malicious URLs, the same posts would also be copied across multiple pages on the same day:
Considering the fragile state of Libya, this makes those news an efficient bait for people interested in keeping up with the latest updates in the country. There are ongoing conflicts between the forces led by Khalifa Haftar (Libyan National Army), and the elected government backed by the United Nations. These conflicts have even resulted in Haftar leading an attack on the capital city in April.
This might explain why the threat actor chooses those themes and social engineering tricks to easily persuade users into clicking the URLs and running the files.
Despite this, there does not seem to be a hidden propaganda behind this activity, as the attacker does not appear to favor one political party over another. For example, one of the involved pages supports Libya’s Prime Minister Fayez al-Serraj, who is considered to be Khalifa Haftar’s opponent.
Funnily enough, one of the pages whose name is “We All Stand with Major General Khalifa Haftar” shared a post calling Haftar a criminal:
In general, the content has a national agenda that above all cares for the greater good of Libya and warns against external or internal threats.
There were some exceptions to the political themes in the posts, although they still used the victims’ common areas of interest. Back in 2018, one of the mobile RATs masqueraded as an application that allows its users to watch the FIFA World Cup matches for free. In another instance, an application offered VPN services that would help access any blocked sites in the country: (The downloaded apps were variants of the SpyNote RAT)
All in all, this suggests that the threat actor behind this leveraged their knowledge of the target audience, and was familiar with what the Libyan victims are likely to click or download, enabling them to spread the files using simple yet effective methods.
Although most of the malicious files were stored in services such as Google Drive, in some cases the attacker managed to compromise legitimate websites and host malicious files on them. This included a Russian website, an Israeli website, and a Moroccan news website:
The most interesting one was perhaps the website belonging to Libyana, one of the largest mobile operators in Libya:
This major company was compromised, and its website hosted a RAR archive back in 2014. This archive was advertised on some pages as a credit package given away for free by the mobile operator, but actually contained a malicious .NET executable:
Tracking down the Attacker
All of the applications and VBE scripts shared by the initial page we investigated communicated with the same command and control server: drpc.duckdns[.]org.
At a certain point, the domain resolved to an IP address that was associated with another website: libya-10[.]com[.]ly. This domain was also used as a C&C in some of the malicious files distributed back in 2017.
The WHOIS information of this website shows that it was registered using the e-mail address [email protected][.]com, which was associated with other domains:
“Dexter Ly”, which is used in two of the registered domains above, is the attacker’s current avatar. Looking it up online led us to a Facebook account under that name that belongs to the attacker, who appears to be of Libyan origin:
This account repeated the same typos that we have observed in the involved pages, enabling us to assess with high confidence that this is the same person that wrote the posts’ content. The account also openly shared almost every aspect of this malicious activity, including screenshots from the panels where the victims were managed:
The attacker shared sensitive information they were able to get their hands on from infecting victims. This included secret documents belonging to Libya’s government, exchanged e-mails, phone numbers belonging to officials and even pictures of the officials’ passports:
A link in one of the posts led to the attacker’s website defacement history starting from 2013, showing that the attacker participated in operations such as OpSyria. Looking at those records, we can see that the “Dr.Pc” avatar (which appears in the new C&C and WHOIS information) was used back then instead of “Dexter Ly”:
By mapping this activity we were able to trace several seemingly unrelated Facebook pages that are followed by thousands of users and find the attacker abusing them to spread malware. We were also able to observe the evolution of this attacker from the early days of defacing websites to being able to run a more sophisticated operation.
Although the set of tools which the attacker utilized is not advanced nor impressive per se, the use of tailored content, legitimate websites and highly active pages with many followers made it much easier to potentially infect thousands of victims. The sensitive material shared in the “Dexter Ly” profile implies that the attacker has managed to infect high profile officials as well.
Although the attacker does not endorse a political party or any of the conflicting sides in Libya, their actions do seem to be motivated by political events. This can be implied from the participation in operations like OpSyria years ago, as well as the willingness to expose secret documents and personal information stolen from the Libyan government. This is juxtaposed with the constant targeting of Libyan victims but might mean that the attacker is after certain individuals within the larger crowd.
Indicators of Compromise