OPERATION TRIPOLI

July 1, 2019

Check Point Research recently came across a large-scale campaign that for years was using Facebook pages to spread malware across mobile and desktop environments, with one target country in mind: Libya.

It seems that the tense political situation in Libya is useful to some, who use it to lure victims into clicking links and downloading files that are supposed to inform about the latest airstrike in the country, or the capturing of terrorists, but instead contain malware.

Our investigation started when we came across a Facebook page impersonating the commander of Libya’s National Army, Khalifa Haftar. In addition to being a Field Marshal, Haftar is a prominent figure in Libya’s political arena and has had major roles as a military leader in the country’s ongoing civil war.

Through this Facebook page we were able to trace this malicious activity all the way down to the attacker responsible for it and find out how they have been taking advantage of the social networking platform for years, compromising legitimate websites to host malware and, in the end, successfully made their way to tens of thousands of victims mainly from Libya, but also in Europe, the United States and Canada.

Based on information we shared, Facebook took down the pages and accounts that distributed the malicious artifacts belonging to this operation.

Grammatical Mistakes and Giveaways:

Another warning sign about the legitimacy of the page was the amount of grammatical mistakes that were found in almost every post. Haftar’s name was not the only thing misspelled in the Facebook page, as the posts included many misspelled words, missing letters and repeated typos in Arabic. Most of those mistakes are repetitive, and some of the posts use words which do not exist in Arabic, because the originally intended ones are missing certain letters (for example “Pove” instead of “Prove”). Those spelling mistakes are not ones that can be generated by online translation engines, and can indicate that the text was written by an Arabic speaker.

Looking up some combinations of the incorrect phrasing led us to numerous posts across a network of Facebook pages that repeat the same unique mistakes. Those pages appeared to be operated by the same threat actor, and they revealed an ongoing widespread operation that has been after Libyans and people who are interested in Libya’s politics for years.

Successful Targeting:

Since the attacker used URL shortening services (bit.ly, goo.gl, tinyurl, etc.), we could tell how many people exactly clicked on each link. In certain cases, we were even able to see which country those users came from, and which environment they used. The majority of the URLs had thousands of clicks, mostly around the time they were created and shared, The referrers to these URLs are mainly domains that belong to Facebook, which can indicate that the social network is the most common infection vector used in this attack
Although a click does not mean a successful infection, it did support our suspicion regarding the targeting of this campaign and confirmed that most of the affected users were indeed from Libya; however, there were victims from Europe, the U.S. and Canada as well. The following screenshot shows the statistics from one link which was clicked approximately 6,500 times, 5,120 out of which came from Libya

Conclusion

By mapping this activity we were able to trace several seemingly unrelated Facebook pages that are followed by thousands of users and find the attacker abusing them to spread malware. We were also able to observe the evolution of this attacker from the early days of defacing websites to being able to run a more sophisticated operation.

Although the set of tools which the attacker utilized is not advanced nor impressive per se, the use of tailored content, legitimate websites and highly active pages with many followers made it much easier to potentially infect thousands of victims. The sensitive material shared in the “Dexter Ly” profile implies that the attacker has managed to infect high profile officials as well.

Although the attacker does not endorse a political party or any of the conflicting sides in Libya, their actions do seem to be motivated by political events. This can be implied from the participation in operations like OpSyria years ago, as well as the willingness to expose secret documents and personal information stolen from the Libyan government. This is juxtaposed with the constant targeting of Libyan victims but might mean that the attacker is after certain individuals within the larger crowd.