Facebook Shutters Accounts Used in APT32 Cyberattacks

malware facebook APT32

Facebook shut down accounts and Pages used by two separate threat groups to spread malware and conduct phishing attacks.

Facebook has shut down several accounts and Pages on its platform, which were used to launch phishing and malware attacks by two cybercriminal groups: APT32 in Vietnam and an unnamed threat group based in Bangladesh.

Threatpost Webinar Promo Bug Bounty

Click to register.

The social-media giant said it has removed both groups’ ability to use their infrastructure to abuse its platform, distribute malware and hack other accounts. A new analysis said the two groups were unconnected and targeted Facebook users leveraging “very different” tactics.

“The operation from Vietnam focused primarily on spreading malware to its targets, whereas the operation from Bangladesh focused on compromising accounts across platforms and coordinating reporting to get targeted accounts and Pages removed from Facebook,” said Nathaniel Gleicher, head of security policy, and Mike Dvilyanski, cyber-threat intelligence manager at Facebook, in a Thursday post.


APT32, also known as OceanLotus, is a Vietnam-linked advanced persistent threat (APT) that has been in operation since at least 2013. More recently the group has been linked to an espionage effort aimed at Android users in Asia (in a campaign dubbed PhantomLance by Kaspersky in April). Researchers also in November warned of a macOS backdoor variant linked to the APT group, which relies of multi-stage payloads and various updated anti-detection techniques.

Facebook said that APT32 leveraged its platform to target Vietnamese human-rights activists, as well as various foreign governments (including ones in Laos and Cambodia), non-governmental organizations, news agencies and a number of businesses.

The threat group created Facebook Pages and accounts in order to target particular followers with phishing and malware attacks. Here, APT23 used various social-engineering techniques, often using romantic lures or posing as activists or business entities to appear more legitimate.

Under the guise of these pages, APT32 would then convince targets to download Android apps through the legitimate Google Play store, which in turn had various permissions enabling broad surveillance of victim devices. Threatpost has reached out to Facebook for further information on specific apps used here. A Google spokesperson also confirmed to Threatpost that the apps used in these attacks have been removed from Google Play.

In addition to apps, APT32 would use these accounts to convince victims to click on compromised websites – or websites that they had created – to include malicious (obfuscated) JavaScript, in watering hole attacks used to compromise victim devices. As part of this attack, APT32 developed custom malware that would detect the victim’s operating system (Windows or Mac), and then send them a tailored payload that executes the malicious code.

Facebook also observed APT32 leveraging previously-utilized tactics in its attacks – such as using links to file-sharing services where they hosted malicious files (that victims would then click and download), including shortened links.

“Finally, the group relied on dynamic-link library (DLL) side-loading attacks in Microsoft Windows applications,” said Facebook. “They developed malicious files in .exe, .rar, .rtf and .iso formats, and delivered benign Word documents containing malicious links in text.”

According to Facebook, “our investigation linked this activity to CyberOne Group, an IT company in Vietnam (also known as CyberOne Security, CyberOne Technologies, Hành Tinh Company Ltd., Planet and Diacauso).”

Threatpost has reached out to CyberOne Group for comment; and has also reached out to Facebook inquiring about the specific links made that tied this company into the activity.

Bangladesh Group

Meanwhile, the Bangladesh-based threat actors targeted local activists, journalists and religious minorities to compromise their Facebook accounts. Facebook alleged it found links in this activity to two non-profit organizations in Bangladesh: Don’s Team (also known as Defense of Nation) and the Crime Research and Analysis Foundation (CRAF).

The company alleged that the groups collaborated to report Facebook users for fictitious violations of its Community Standards –  such as alleged impersonation, intellectual property infringements, nudity and terrorism. In addition, the groups allegedly hacked Facebook user accounts and Pages, and used them for their own operational purposes, including to amplify their content.

“On at least one occasion, after a Page admin’s account was compromised, they removed the remaining admins to take over and disable the Page,” said Facebook.

Threatpost reached out to Don’s Team and CRAF for further comment. A Don’s Team spokesperson told Threatpost, “the recent allegations against Don’s Team is totally misleading.”

“This doesn’t relate to the recent Bangladesh Facebook campaign,” said the spokesperson. “Don’s Team is a social media awareness and consultancy platform. We help people to get rid of various Facebook related problems. As Facebook don’t have any of their affiliation places in Bangladesh, users [suffer] from a lot of problems related with Facebook accounts/pages/groups. So as a social media consultancy team we help those users when their account gets hacked, lost access to the account. Following Facebook community standards we help the victims to recover their account when it got disabled.”

Facebook – which has removed infrastructure in the past used by attackers to abuse its platform — warned that the attackers behind these operations are “persistent adversaries” and they expect them to evolve their tactics.

“We will continue to share our findings whenever possible so people are aware of the threats we are seeing and can take steps to strengthen the security of their accounts,” said Gleicher and Dvilyanski.

Put Ransomware on the Run: Save your spot for “What’s Next for Ransomware,” a FREE Threatpost webinar on Dec. 16 at 2 p.m. ET. Find out what’s coming in the ransomware world and how to fight back. 

Get the latest from John (Austin) Merritt, Cyber Threat Intelligence Analyst at Digital Shadows; Limor Kessem, Executive Security Advisor, IBM Security; and Israel Barak, CISO at Cybereason, on new kinds of attacks. Topics will include the most dangerous ransomware threat actors, their evolving TTPs and what your organization needs to do to get ahead of the next, inevitable ransomware attack. Register here for the Wed., Dec. 16 for this LIVE webinar.

Suggested articles