While threats like Ransomware, DDoS and Polymorphic Phishing have always been some of the notorious threats in cybersecurity, hackers today are shifting their focus and are trying out different approaches to attack systems.
According to a research by Check Point threat intelligence, for the first time, a remote access Trojan dubbed as “FlawedAmmyy” has reached the Global Threat Index’s Top 10 list. As the name already suggests that Ammy is Flawed, FlawedAmmyy RAT was developed from the leaked source code of Ammyy Admin, zero-config remote desktop software.
What Is A ‘RAT’?
A Remote Access Trojan a.k.a RAT is basically a malicious programme which after it enters a system opens a backdoor for hackers to take administrative control over a computer. RATs are attached to other programs or files that we download from the internet — the downloadable file could be game or even an email attachment. A notorious example of a RAT is that once it compromises a computer, it allows the intruder to distribute RATs to other vulnerable computers and establish a botnet. These botnets are the ones that carry out attacks like distributed denial of service (DDoS).
Use Of Facebook To Distribute RAT
On 1 July 2019, Check Point released a research that shows a large-scale campaign called “Operation Tripoli” was using Facebook pages for years to spread RATs across mobile and desktop devices, specifically targeting Libya.
Reportedly, Check Point came across a Facebook page impersonating American-Libyan military officer Khalifa Haftar. The page was created in April 2019 and since then, it has gained 11,000 followers. This fake page basically focuses on content related to politics and army and also attach URLs to download files stating they are leaks from Libya’s intelligence units. That is not all — some URLs were even present as legit sites for citizens to sign up for the army.
People who have fallen prey to the bait links and posts by the page ended up downloading a variety of known RATs used for spying and stealing data. Furthermore, the cybersecurity researcher has also stated that the admins of the fake Khalifa Haftar Facebook page have been distributing malicious programs since 2014 and more than 30 fake Facebook pages are a part of it. And the most shocking thing about this entire campaign, some of these fake pages are followed by more than 100,000 users, which is a massive reach.
Some of these pages with a massive follower base:
- Official Libya – 51,000
- Libya My People – 110,400
- Crimes In Libya – 63,900
- Emad al-Trabilsi Official Page – 139,500
- Dignity Urgent – 61,000
There were more than 40 unique malicious links used by the attacker over the years, which were shared in those pages to distribute RATs. And the cybercriminals were using link shortening service such as bit.ly, goo.gl etc., which gave researchers the power to check how many people exactly clicked on each link.
Even though the social media giant Facebook has shut down all these fake pages, the question here is what the company was doing for five long years? Why did it so long for Facebook to take that much-awaited step? The world has witnessed some of the worst hacks and breaches over the past couple of years, and even after that if companies are neglecting security then it’s definitely something that shouldn’t be done. They are not only risking their business but also putting its users and the rest of the world at risk.
This also shows how hackers across the world are becoming sophisticated and it’s not just high-level attacks that can make a negative impact. Now, even old-school methods like social engineering are also vulnerable to these attacks — after all humans and their emotions are the weakest links of all.