Facebook shut down accounts and Webpages made use of by two independent danger teams to spread malware and conduct phishing attacks.
Facebook has shut down quite a few accounts and Internet pages on its system, which were utilized to start phishing and malware attacks by two cybercriminal groups: APT32 in Vietnam and an unnamed threat team based mostly in Bangladesh.
The social-media giant claimed it has removed both equally groups’ capability to use their infrastructure to abuse its system, distribute malware and hack other accounts. A new assessment claimed the two groups ended up unconnected and qualified Facebook people leveraging “very different” strategies.
“The operation from Vietnam focused generally on spreading malware to its targets, whereas the operation from Bangladesh centered on compromising accounts throughout platforms and coordinating reporting to get targeted accounts and Pages taken off from Fb,” explained Nathaniel Gleicher, head of security coverage, and Mike Dvilyanski, cyber-danger intelligence manager at Fb, in a Thursday post.
APT32
APT32, also recognized as OceanLotus, is a Vietnam-linked superior persistent threat (APT) that has been in operation due to the fact at the very least 2013. Extra just lately the team has been connected to an espionage work aimed at Android people in Asia (in a marketing campaign dubbed PhantomLance by Kaspersky in April). Researchers also in November warned of a macOS backdoor variant connected to the APT group, which relies of multi-stage payloads and several up-to-date anti-detection procedures.
Facebook said that APT32 leveraged its platform to goal Vietnamese human-rights activists, as well as different international governments (together with ones in Laos and Cambodia), non-governmental organizations, information businesses and a number of organizations.
The threat team designed Facebook Web pages and accounts in purchase to goal certain followers with phishing and malware attacks. In this article, APT23 utilized various social-engineering tactics, often applying romantic lures or posing as activists or small business entities to show up far more legit.
Underneath the guise of these internet pages, APT32 would then persuade targets to down load Android apps via the reputable Google Play keep, which in flip had numerous permissions enabling wide surveillance of victim gadgets. Threatpost has reached out to Facebook for more details on specific applications made use of right here. A Google spokesperson also verified to Threatpost that the apps utilised in this marketing campaign have been eradicated from Google Enjoy.
In addition to applications, APT32 would use these accounts to persuade victims to simply click on compromised web sites – or sites that they experienced established – to include things like malicious (obfuscated) JavaScript, in watering hole attacks utilised to compromise sufferer equipment. As portion of this attack, APT32 made tailor made malware that would detect the victim’s running procedure (Windows or Mac), and then send them a tailor-made payload that executes the malicious code.
Facebook also noticed APT32 leveraging earlier-utilized strategies in its attacks – this sort of as making use of one-way links to file-sharing expert services where by they hosted malicious documents (that victims would then simply click and obtain), which include shortened hyperlinks.
“Finally, the group relied on dynamic-hyperlink library (DLL) aspect-loading attacks in Microsoft Windows programs,” said Facebook. “They developed malicious information in .exe, .rar, .rtf and .iso formats, and sent benign Word documents containing destructive links in textual content.”
In accordance to Fb, “our investigation joined this exercise to CyberOne Team, an IT organization in Vietnam (also acknowledged as CyberOne Security, CyberOne Technologies, Hành Tinh Business Ltd., World and Diacauso).”
Threatpost has arrived at out to CyberOne Group for comment and has also arrived at out to Fb inquiring about the particular hyperlinks manufactured that tied this enterprise into the action.
Bangladesh Group
In the meantime, the Bangladesh-dependent danger actors qualified regional activists, journalists and religious minorities to compromise their Facebook accounts. Facebook alleged it identified links in this exercise to two non-income businesses in Bangladesh: Don’s Group (also known as Protection of Country) and the Criminal offense Investigate and Examination Foundation (CRAF).
The company alleged that the teams collaborated to report Facebook end users for fictitious violations of its Community Criteria – such as alleged impersonation, intellectual property infringements, nudity and terrorism.
In addition, the groups allegedly hacked Facebook consumer accounts and Webpages, and utilised them for their individual operational uses, which include to amplify their material.
“On at least one particular event, right after a Website page admin’s account was compromised, they removed the remaining admins to just take in excess of and disable the Web site,” claimed Facebook.
Threatpost attained out to Don’s Group and CRAF for more comment.
Facebook – which has eradicated infrastructure in the earlier applied by attackers to abuse its platform — warned that the attackers at the rear of these operations are “persistent adversaries” and they count on them to evolve their tactics.
“We will continue on to share our findings every time attainable so people today are informed of the threats we are seeing and can just take steps to bolster the security of their accounts,” mentioned Gleicher and Dvilyanski.
Set Ransomware on the Run: Save your spot for “What’s Next for Ransomware,” a FREE Threatpost webinar on Dec. 16 at 2 p.m. ET. Find out what is coming in the ransomware planet and how to fight again.
Get the hottest from John (Austin) Merritt, Cyber Risk Intelligence Analyst at Electronic Shadows Limor Kessem, Government Security Advisor, IBM Security and Israel Barak, CISO at Cybereason, on new forms of attacks. Subject areas will include the most harmful ransomware threat actors, their evolving TTPs and what your corporation wants to do to get forward of the upcoming, inevitable ransomware attack. Register here for the Wed., Dec. 16 for this LIVE webinar.
Some parts of this post are sourced from:
threatpost.com