Using Facebook as a C2 Server

a1l4m
4 min readSep 26, 2023

Imagine seeing your machine connecting to the Facebook domain. It seems legit, right? Well, maybe most of the time, but not today.

background

After hearing about Molerats and how they always come up with different techniques when it comes to post-exploitation, like using a C2 server for sending commands back to their malware, I stumbled upon one of their methods for sending commands to the compromised host that blew my mind.

Let’s just get started.

Molerats, aka: Gaza Hackers Team, Gaza cybergang, Gaza Cybergang, Operation Molerats, Extreme Jackal, Moonlight, ALUMINUM SARATOGA, G0021

This APT group is located in the Middle East and gained popularity in October 2012, when malware attacks against Israeli government targets grabbed media attention as officials temporarily cut off Internet access for its entire police force and banned the use of USB memory sticks. And they are not just targeting Israel but also Palestine, which, if you are aware of the situation, is a bit weird.

On December 9 2020, Cybereason published a report that revealed that they had uncovered a new attack campaign launched by Molerats. The campaign focused on the ongoing normalization process between Israel and its Arab neighbors. One of the phishing documents, a PDF file titled “MBS-Israel,” explored that development by referencing the peace talks between Israeli Prime Minister Benjamin Netanyahu and His Royal Highness Mohammed bin Salman, Saudi Crown Prince.

To summarize their initial access, they started a phishing campaign targeting Hamas leaders with a PDF attached to it. The pdf doesn’t have any macros but links to other password-protected achieves to download, and they claim it contains the content of the peace talks between Israel and Arab leaders.

pdf content

Those links are actually Dropbox and Google Drive links, which the attackers used to evade detection as those domains are considered legit in most systems.

Both archives arrived with several executables whose names referenced the talks.

These malwares have three variants in the exe files:

  1. Sharpstage backdoor
  2. Molenet downloader
  3. Dropbook backdoor

We are not going to talk about the first two variants now, as this is not why we are here.

DropBook executed on a machine only if the infected machine had configured the Arabic language. They don’t want the malware to be exposed to sandboxes or to people who are not targeted.

This malware uses Dropbox for file uploads and downloads. And the unique thing about this malware is that it uses Facebook posts and note-taking applications. Simple note to receive a Dropbox token as well as command-and-control (C2) instructions from the attackers.

Facebook as C2 server.

“Molerats created fake Facebook accounts specifically for this campaign, those accounts are effectively being used by the group for command-and-control purposes by sending instructions to the malware using Facebook posts. This is a clever way of hiding in plain sight, abusing the trust given to a legitimate platform such as Facebook. This helps the group to remain under the radar.”

This text is quoted from Assaf Dahan, Sr. Director, Head of Threat Research at Cyber Reason.

Another way for attacker in order to maintain the C2 configuration data, threat actors using the Facebook and YouTube profiles description with base64 encoded and custom encrypted.

payload base64 encrypted data.

Threat actors are cleverly hosting the C2 data within these trusted sources to bypass network security, AV, and detection in general. That’s why you should be aware of the baseline of your organization. For example, if the company's business doesn’t require using Facebook or any social media in general, you can block it or make an alert if someone accesses it, and from there, you can do more investigation.

Thanks for reaching this point.

Cya geeks

--

--