Remote Access Trojan Spreading Through Facebook Since 2014. Here’s What Happened

Malware and viruses are known to spread on the internet using spam mail and website injections. But it seems that even the popular social media site Facebook has become a popular distribution channel for remote access malware.

Remote Access Trojans (RATs) on Facebook

Researchers from Check Point uncovered several Facebook pages spreading malware to Facebook users all around the globe. The campaign has been running since 2014 and was just discovered recently.

The cybercriminals used the situation in Libya as a cover-up to spread malicious software. Posts containing the virus talked about the political situation in Libya and urged audiences to click a malicious link. The researchers believe that users several users from Libya, China, the US, and Europe were infected.

The malware was identified as a Remote Access Trojan (RATs) and gives the hackers back door entry into an infected computer’s administrative accesses.

How Dangerous Are Remote Access Trojans?

Remote access trojans are very dangerous because it acts as a remote software for hackers. When malicious actors infect a computer, they can do unauthorized activities in the infected computer. Activities hackers can do on an infected computer include:

– Spy on user activities using spyware tools
– Record user activities through the computer’s webcam
– Distribute malware to other devices in the network
– Alter system files
– Download and delete files
– Format drives and systems

SpyNote, Back Orifice, and Houdini are well-known RATs programs that give hackers remote access to the devices of innocent victims.

How Did the Facebook Operation Work on RAT Malware

Researchers first uncovered the campaign after investigating a Facebook page impersonating Libya National Army commander Khalifa Haftar. Haftar is a prominent figure in Libya and an important person in the ongoing civil war.

Through their investigation, they found out that the Facebook page impersonating commander Haftar was created in April 2019 and garnered more than 11,000 followers in the short amount of time. The hackers used the fake persona to share posts that contained URLs and attachments with the remote access malware.

Further into their investigation, the researchers found that there were more than 30 Facebook pages used to spread the malware, some with followers over 100,000. The hackers responsible for this attack used more than 40 unique URLs to spread the malware and used URL-shortening and social engineering to get people to click their posts.

The hackers also posted updates on recent developments in Libya to avoid suspicion across all their platforms.

Aside from Facebook, hackers also used blogs to spread the virus. The hackers started using blogs around 2015 and managed multiple blogs.
Who Were the Targets

Based on the researcher’s findings, they concluded that the main target of the attack were Libyans. Many of the pages that the hackers used were fake accounts of famous Libyan personalities and leaders; other pages also contained Libyan-related posts.

Because the hackers used a URL-shortening service, researchers were able to track the number of people who clicked the link and their location. The findings showed that many of the URLs had over one thousand clicks and the majority were from Libya. Researchers also found out that some users from the US, Europe, and Canada also clicked on the links.

 Who Conducted the RAT Malware Attack?

The researchers were able to track the campaign down to the mastermind by tracing the malware back to its source.

Using tracking tools, the researchers pinned the remote access malware attacks to a certain persona named Dexter Ly. They found a profile with this persona on Facebook and noted that the attacker appears to be of Libyan origin. After verifying, they concluded that the Facebook profile belonged to the hacker.

The hacker shared on the profile screenshots and photos on the hacking activity. They even posted sensitive information they retrieved from their victims. They revealed secret documents they obtained from intercepted emails from officials of the Libyan government.

Other sensitive information released by the hacker includes phone numbers and passports of government officials. Researchers noted that the attackers have been doing their malicious activities since 2013.


Remote access can be a useful tool or a dangerous weapon. In the hands of legitimate organizations and enterprises, remote access can increase collaboration and ease of doing work.But in the hands of a malicious actor, remote desktop software can lead to a high-scale data breach.


This research finding has also shed light on how Facebook can be used to distribute malware and that cybercriminals are getting even more crafty in distributing malware over the internet. Facebook developers will need to find a better way to protect their users from this kind of remote  access malware attack.The researchers have shared their findings with Facebook. Facebook has already taken down the pages and accounts distributing the malicious remote access malware.

Instant Remote Access
Related Resources: