Facebook Removes Accounts Used to Infect Thousands With Malware

According to reports hackers have used more than 30 Facebook pages to spread malicious software aimed at social media users following news about Libya.

Researchers from the security vendor Check Point on Monday published details about Operation Tripoli, a coordinated campaign in which hackers used a network of seemingly legitimate Facebook pages to dupe users into downloading Windows malware. The pages impersonated people like Khalifa Haftar, the head of the Libyan National Army, militia leaders and a range of political causes urgent in the North African country.

But instead of the promised content in the posts, the links would download malicious VBE or WSF files for Windows environments, and APK files for Android.

The threat actor opted for open source tools instead of developing their own, and infected the victims with known remote administration tools (RATs) such as Houdini, Remcos, and SpyNote, which are often used in run-of-the-mill attacks.

Indicators of Compromise

drpc.duckdns[.]org

libya-10[.]com[.]ly

kalifhaftar[.]blogspot[.]com

libyanews111[.]blogspot[.]com

goo[.]gl/wBSkdh

goo[.]gl/kTxPjR

goo[.]gl/RQCdYS

goo[.]gl/nGWjRb

goo[.]gl/7dJWTD

goo[.]gl/nEvL9B

goo[.]gl/yMaSa2

goo[.]gl/so0ZQv

goo[.]gl/ssg3F5

goo[.]gl/ieUZJH

bit[.]ly/1LVdtNP

bit[.]ly/2cQBSxE

bit[.]ly/1MzGMq8

bit[.]ly/2tzu4Gb

bit[.]ly/2sudDeR

bit[.]ly/2r4Zw0D

bit[.]ly/2oDyR9W

bit[.]ly/2namqlt

bit[.]ly/2nLTmO6

bit[.]ly/2jlUZUV

bit[.]ly/2oN3DOT

bit[.]ly/2k0cR8i

bit[.]ly/2o0q7dW

bit[.]ly/2lJlu2Q

bit[.]ly/2aJIf6W

bit[.]ly/2s9NYaw

bit[.]ly/2D5KRaV

bit[.]ly/2nRVtA6

bit[.]ly/2ZbTVEo

bit[.]ly/2uZwNew

bit[.]ly/2UwHoNf

bit[.]ly/2UaG913

bit[.]ly/2VDLT4X

bit[.]ly/2I3JxJL

bit[.]ly/2U86NYk

bit[.]ly/2G7ji2Z

cutt[.]us/88D9S

tinyurl[.]com/jdndrea

aarasid[.]com/libya/index.html

sirtggp[.]com/libyanew/index.html

clientstats[.]epss[.]org[.]ly/E-Care

libyana[.]ly/libyana.rar

76d14a79e2be1543ab79873e7b87f0deee8aad17
21f9a82d04fdf3b6c58ac470d970d43ba6e567bd
05aba51baa275677f637cecc2a615b65ba940291
43fe796c59d9904a8a12f91588e53e931bcc2690
ea273ac505505ebbc2cba716922ad9bcec385aa8
2e18ec1c14381d97b9202e20f5962189cec49d8e
f0e1e62bed46a85ede82423fab40f6c2bc71de21
07f1b0a4a47726bf853793adf3d02b8d1b341f30
edd1df11ba59cc15f5b7fceb845097fa308baf93
3a5f33dea709de482e477ffdacda60c6b36002df
26e52120f02de03da00a39329bfa311dc22aeab8
3aada37272e2f2d900d95bc1b0ee5ce8634e90ae
587711daaced49c3613f93b87a910c09f89b4595
02c6d99c677ffa78a7deff7405c0800fe780e2d3
a85dfa2f781c248be2046424a3c7e329af370e26
0ea9c9be1cebb6542619dd69732689beacf1a262
aee4156d4871f4bd9188076f6e20dafede5fb6ac
7c0ae04b61e4ac9c6713769594e1d1d49b27631b
096ef1ef526265e80fb41d45344469a30a83c67b
4bd4db3281c0e95983efe26261db1eb49bf59ba7
9193ba6c5674de1d5f1412231aab7766ebea7f98
0cdca63826c515720f0fb994437dd9a056a90dfa
7a4303a775a0b13af53e13dc640589bc9f129117
3bafa8a27e7309c1cf4b53a30d14b27aa9eb943e