Attacks exploiting Facebook and Telegram to spread a custom variant of the AsyncRAT trojan have been deployed by newly emergent threat actor Desert Dexter against the Middle East and North Africa since September, according to The Hacker News.
A report from Positive Technologies found that nearly 900 victims — most of whom are oil production, information technology, construction and agriculture employees in Libya, Saudi Arabia, Turkey, Egypt, Qatar, Tunisia, and the United Arab Emirates — have already been compromised by the campaign, which commenced with the creation of temporary Facebook accounts used to post ads with malicious links.
Clicking on the ads triggers the download of a RAR archive with scripts facilitating the removal of different .NET processes, persistence, and system data exfiltration before the delivery of the AsyncRAT malware variant featuring an offline keylogger, as well as extensive cryptocurrency wallet and extension searching and Telegram bot communication capabilities.
"The tools used by Desert Dexter are not particularly sophisticated," said the Positive Technologies researchers. "However, the combination of Facebook ads with legitimate services and references to the geopolitical situation has led to the infection of numerous devices."
