A mysterious hacker has for years been tricking Libyan citizens into infecting themselves with mobile and desktop malware by luring them to weaponized Facebook pages that impersonate key local figures and purport to deliver news of interest to the civil war-torn nation's people.
Researchers from Check Point Software Technologies have traced the campaign – dubbed Operation Tripoli – to an apparent Arabic-speaking actor of Libyan origin who goes by the alias "Dexter Ly." A review of the actor's very own Facebook account revealed screenshots of control panels used to manage victims, as well as sensitive information stolen from them, including secret documents from Libya's government, and emails, phone numbers and passport images of local officials.
In a research report today, Check Point says Facebook removed the offending pages and accounts after learning of the operation from the cybersecurity company. "Some of the pages impersonate important Libyan figures and leaders, others are supportive of certain political campaigns or military operations in the country, and the majority are news pages from cities such as Tripoli or Benghazi," the report states. "In total, there are more than 40 unique malicious links used by the attacker over the years, which were shared in those pages."
Among the most notable of these fake Facebook pages was one that appeared to be created by Khalifa Haftar, commander of Libya’s National Army, which supports the controversially elected Tobruk government that is currently in conflict with the rival General National Congress government.
First appearing in April 2019, the page lured in more than 11,000 followers with politically-charged posts that encouraged readers to click links to download files that supposedly contained information leaked from Libya's intelligence units. Other posts claimed to contain links leading to mobile applications for joining the Libyan military. In reality, however, followers who clicked these links actually downloaded malicious VBE, WSF or APK files and were ultimately infected with remote administration tools (RATs) such as Houdini, Remcos, and SpyNote, Check Point explains.
But researchers say other Operation Triploi pages dated as far back as 2014. Indeed, by analyzing unique grammatical mistakes in the fake Haftar page, Check Point was able to tie 30 more fake Facebook pages to the same operation, some of which were once legitimate before Dexter Ly compromised them and took them over.
Among the most popular of these fake pages were the official page of militia leader Emad al-Trabilsi (roughly 139,500 pages) and the Libya My People Page (roughly 110,400 pages). Many of the URL links included in these and other pages were clicked thousands of times. "The referrers to these URLs are mainly domains that belong to Facebook, which can indicate that the social network is the most common infection vector used in this attack," the report states.
While most victims were based in Libya, the operation has also infected users in the U.S., Canada and Europe as well.
Check Point says that although Dexter Ly seems to be motivated by recent political events in Libya, the phishing content he (or she) developed has targeted individuals on both sides of the conflict. The politically neutral approach of attacking both sides, "might mean that the attacker is after certain individuals within the larger crowd," the report concludes.
While most of the fraudulent posts were political in nature, Operation Tripoli also has used SpyNote RAT malware that came disguised as an app for watching FIFA World Cup matches for free, as well as an app that provided VPN services for accessing blocked websites.