An anonymous reader quotes a report from ZDNet: Facebook has been exploited to act as a distribution platform for a set of Remote Access Trojans (RATs) for years, researchers say. According to Check Point Research, a “large-scale” campaign has been operating under Facebook’s radar since at least 2014 throughout a campaign related to politics in Libya. The aim of the operation has been to spread RATs including Houdini, Remcos, and SpyNote. Tens of thousands of victims from Libya, Europe, the US, and China are believed to have been compromised. The threat actor behind the campaign has used the political turmoil in Libya to their advantage. Libya’s National Army commander, Khalifa Haftar, has been impersonated for years and a page apparently operated by the public figure was actually a central point for the distribution of malware.
The page impersonating Haftar was created in April 2019 and has since attracted over 11,000 followers. Posts were shared with political themes and links claiming to share leaked intelligence reports and material, but if someone interested in Libyan politics clicked on the URLs, they would instead be sent to malicious content. Malicious VBE and WSF files for Windows machines, as well as malware-laden APK files for the mobile Android operating system, would then be downloaded and upon execution would install a Trojan. The malware was hosted on public services including Google Drive, Box, and Dropbox. The researchers say over 30 Facebook pages have been spreading approximately 40 malicious links since 2014 and one of them has over 100,000 followers. “In order to avoid any suspicion, the pages in question would also publish legitimate content, most commonly related to news in Libya,” the report adds. “Occasionally, other content — such as download links to fake applications for watching football matches for free or malicious VPN services — would also be released.” Facebook says they have taken down the pages for violating their policies.