Researchers have exposed a network of Facebook accounts that used Libya-themed news and topics to push malware to tens of thousands of people over a five-year span.
Links to the Windows and Android-based malware first came to researchers’ attention when the researchers found them included in Facebook postings impersonating Field Marshal Khalifa Haftar, commander of Libya’s National Army. The fake account, which was created in early April and had more than 11,000 followers, purported to publish documents showing countries such as Qatar and Turkey conspiring against Libya and photos of a captured pilot that tried to bomb the capital city of Tripoli. Other posts promised to offer mobile applications that Libyan citizens could use to join the country’s armed forces.
According to a post published on Monday by security firm Check Point, most of the links instead went to VBScripts, Windows Script Files and Android apps known to be malicious. The wares included variants of open source remote-administration tools with names including Houdina, Remcos, and SpyNote. The tools were mostly stored on file-hosting services such as Google Drive, Dropbox, and Box.