Vietnamese hackers attack UK, US and India with DarkGate malware

Victims lured to download infected job descriptions and salary details

Vietnamese hackers attack UK, US and India with DarkGate malware

Image:
Vietnamese hackers attack UK, US and India with DarkGate malware

In a recent surge of cyberattacks, malicious actors from Vietnam have been identified using a variety of Malware-as-a-Service (MaaS) infostealers and Remote Access Trojans (RATs) with an aim to target the digital marketing sector in the United States, United Kingdom and India.

Last week, security researchers at WithSecure released a report, highlighting an overlap in the tools used in these cyberattacks.

The report said the cybercriminals are deploying a powerful blend of malware, including the widely-used DarkGate, to infect victims with RATs and additional info-stealing malware such as Ducktail, Redline and Lobshot.

DarkGate is a Windows malware with multiple functionalities including cryptocurrency mining, file encryption, credential stealing and enabling remote access to the infected device. Ducktail is used to steal Facebook business accounts, Redline to collect information about the infected device, and Lobshot is stealthy remote access malware.

The overlap in the attackers' choice of malware has made it challenging to attribute specific campaigns to individual groups.

According to WithSecure, the malware employed by unidentified adversary is part of a "closely related cluster" of threat groups that are linked through the use of commodity malware and similar MaaS tools.

Stephen Robinson, WithSecure's senior threat intelligence analyst, said that, based on the team's observations, it is highly probable that a single actor is responsible for multiple campaigns that they have tracked for the past several months.

The malicious actors have been using social engineering tactics to infect targets, with most campaigns strategically designed to deceive digital marketing professionals into downloading malicious files disguised as job descriptions and salary details.

The attack chains associated with the distribution of DarkGate are marked by the use of AutoIt scripts, which are obtained through a Visual Basic Script sent via phishing emails or messages on platforms such as Skype or Microsoft Teams.

The execution of this AutoIt script ultimately results in the deployment of DarkGate.

In the UK, the attackers lured victims by offering fake job openings at Corsair, a well-known computer memory and hardware manufacturer.

The victims were tricked into downloading a file named "Job Description of Corsair.docx," which was actually a vehicle for malware.

In India, they employed a similar strategy, using job openings at the finance company Groww as bait.

As per the researchers' findings, individual attackers or groups displayed limited sophistication and seemed to have a high risk tolerance, as they made no attempt to conceal their activities.

The researchers said they were able to easily examine the metadata within .lnk, .pdf, and .msi files used in the campaign, which allowed them to identify the identification numbers for hard drives, file creation timestamps, and locations.

In July last year, WithSecure first reported an operation involving Ducktail malware targeting Meta's Business platform with the aim of pilfering Facebook corporate and advertising account information.

The researchers warned that by obtaining credentials associated with business advertising accounts, threat actors can take control of these accounts and run unauthorised ad campaigns.