Vietnam-based cybercriminals are believed to be behind to assaults utilizing DarkGate malware, which have focused organizations within the UK, US and India since 2018.
WithSecure researchers have tracked these assaults to an energetic cluster of cybercriminals utilizing the Ducktail infostealer, which has been utilized in current campaigns concentrating on Meta business accounts.
The DarkGate and Ducktail campaigns have been linked collectively primarily based on non-technical indicators noticed by the researchers. These embody lure recordsdata, themes, concentrating on and supply strategies. For instance, the preliminary vector is ceaselessly a LinkedIn message, which redirects the sufferer to a malicious file on Google Drive.
WithSecure additionally analyzed related metadata, together with LNK File metadata, PDFs created utilizing the Canva design service/instrument and MSI recordsdata created utilizing an unlicensed model of EXEMSI.
WithSecure Senior Risk Intelligence Analyst Stephen Robinson, commented: “The DarkGate assaults we noticed have very sturdy identifiers which allowed us to ascertain hyperlinks between these assaults and others we’ve seen utilizing completely different infostealers and malware, together with Ducktail. Based mostly on what we’ve noticed, it is vitally seemingly {that a} single actor is behind a number of of the campaigns we’ve been monitoring that focus on Meta Enterprise accounts.”
A Extensive Vary of Exercise
Whereas the campaigns have very comparable preliminary an infection route, the researchers acknowledged that the capabilities of the 2 payloads differ considerably:
- Ducktail is a devoted infostealer, and upon execution, it quickly steals credentials and session cookies from the native system and sends them again to the attacker. It additionally has an extra Fb-focused performance, whereby if it locates a Fb Enterprise account session cookie, it would try so as to add the attacker to the account as an administrator.
- DarkGate is a distant entry trojan (RAT) with infostealer performance. Not like Ducktail, it’s stealthy, attempting to realize persistence. It’s also used for a wide range of functions, together with to deploy Cobalt Strike and ransomware. DarkGate additionally seems for use by a number of unrelated actors. Nevertheless, “the DarkGate conduct which most intently resembles and overlaps with the Ducktail campaigns is more likely to be the identical Vietnamese risk actor cluster.”
The researchers have additionally linked the Lobshot and Redline Stealer malware to the identical Vietnam-based risk actors.
Robinson highlighted how the expansion of cybercrime-as-a-service (CaaS) trade has made it tougher to establish the teams behind particular campaigns.
“DarkGate has been round for a very long time and is being utilized by many teams for various functions, and never simply this group or cluster in Vietnam. The flip facet of that is that actors can use a number of instruments for a similar marketing campaign, which might obscure the true extent of their exercise from purely malware-based evaluation,” he famous.
