Facebook blocks IT company accounts associated with Vietnamese hacker group OceanLotus

On December 10, 2020, Facebook issued a press release stating that it banned IT company accounts associated with the Vietnamese hacker organization, OceanLotus.

Facebook said in the investigation that the OceanLotus hacker group (APT32) is headquartered in Vietnam, and the target targets are Vietnamese human rights activists in Vietnam and overseas, foreign governments in Laos and Cambodia, non-governmental organizations, news agencies, and many related information Technology companies, hotels, agriculture and commodities, hospitals, retail, automotive industry, and mobile services with malware.

Facebook linked this series of attacks by OceanLotus with the Vietnamese IT company CyberOne Group (also known as CyberOne Security, CyberOne Technologies, Hành Tinh Company Limited, Planet, and Diacauso).

Nathaniel Gleicher, Facebook’s Head of Security Policy, and Mike Facebook’s Dvilyanski, Cyber Threat Intelligence Manager said that they have investigated these activities in connection with the Vietnamese IT company CyberOne Group.

Facebook stated that they have been tracking and taking action against the APT organization for several years. They investigated and analyzed many of OceanLotus’s famous tactics, techniques, and procedures, including:

• Social engineering: APT32 created fictitious personas across the internet posing as activists and business entities, or used romantic lures when contacting people they targeted. These efforts often involved creating backstops for these fake personas and fake organizations on other internet services so they appear more legitimate and can withstand scrutiny, including by security researchers. Some of their Pages were designed to lure particular followers for later phishing and malware targeting.
• Malicious Play Store apps: In addition to using Pages, APT32 lured targets to download Android applications through Google Play Store that had a wide range of permissions to allow broad surveillance of peoples’ devices.
• Malware propagation: APT32 compromised websites and created their own to include obfuscated malicious javascript as part of their watering hole attack to track targets’ browser information. A watering hole attack is when hackers infect websites frequently visited by intended targets to compromise their devices. As part of this, the group built custom malware capable of detecting the type of operating system a target uses (Windows or Mac) before sending a tailored payload that executes the malicious code. Consistent with this group’s past activity, APT32 also used links to file-sharing services where they hosted malicious files for targets to click and download. Most recently, they used shortened links to deliver malware. Finally, the group relied on Dynamic-Link Library (DLL) side-loading attacks in Microsoft Windows applications. They developed malicious files in exe, rar, rtf and iso formats, and delivered benign Word documents containing malicious links in text.

In addition, the OceanLotus organization also used links to file-sharing services, hosting malicious files in these files for the target to click and download. Recently, they used short links to distribute malware. Finally, the organization relied on a dynamic link library (DLL) side-loading attacks (white and black) in Microsoft Windows applications. They are also in exe, rar, rtf, and iso formats, and provided normal Word documents containing malicious links as part of the phishing.

Facebook believes that OceanLotus has used their platform as part of its activities to distribute malware through social media. In order to interrupt this operation, they blocked the release of related malicious domains on the platform and deleted the organization’s account.