Desert Dexter is targeting users in the Middle East and North Africa with a new malware campaign. The attackers use Facebook ads and Telegram links to spread a modified version of AsyncRAT.
A recent report found nearly 900 victims since September 2024. Most cases have been identified in Libya, Saudi Arabia, Egypt, Turkey, the UAE, Qatar, and Tunisia. The campaign takes advantage of social media and geopolitical events to lure victims.
How the Attack Works
The attackers create temporary Facebook accounts and news pages. These accounts post ads that link to file-sharing services or Telegram channels. Clicking the links downloads malware that includes an offline keylogger and scans for cryptocurrency wallets. It also connects to a Telegram bot for remote control.
The attack begins with a RAR file that contains a batch script or JavaScript file. Running the file executes a PowerShell script, which launches the second stage. The malware disables security processes, deletes specific files, and establishes persistence on the system. It also takes a screenshot and injects AsyncRAT into a legitimate Windows executable.
Researchers found Arabic comments in the malware code, suggesting the attackers may be from Libya. A Telegram channel linked to the campaign was created in October 2024. The attackers appear to focus on ordinary users, including employees in oil production, IT, and construction.
How to Stay Protected
Users should avoid clicking on suspicious ads or downloading files from unverified sources. Businesses must train employees to recognize phishing attempts. Keeping software updated and using strong antivirus protection can help prevent infections.
By staying cautious and implementing security measures, individuals and organizations can reduce the risk of falling victim to Desert Dexter’s attacks.
Sleep well, we got you covered.
