Vietnam-based cybercriminals are believed to be behind to assaults utilizing DarkGate malware, which have focused organizations within the UK, US and India since 2018.
WithSecure researchers have tracked these assaults to an lively cluster of cybercriminals utilizing the Ducktail infostealer, which has been utilized in latest campaigns focusing on Meta enterprise accounts.
The DarkGate and Ducktail campaigns have been linked collectively primarily based on non-technical indicators noticed by the researchers. These embody lure information, themes, focusing on and supply strategies. For instance, the preliminary vector is continuously a LinkedIn message, which redirects the sufferer to a malicious file on Google Drive.
WithSecure additionally analyzed related metadata, together with LNK File metadata, PDFs created utilizing the Canva design service/instrument and MSI information created utilizing an unlicensed model of EXEMSI.
WithSecure Senior Menace Intelligence Analyst Stephen Robinson, commented: “The DarkGate assaults we noticed have very sturdy identifiers which allowed us to ascertain hyperlinks between these assaults and others we’ve seen utilizing completely different infostealers and malware, together with Ducktail. Primarily based on what we’ve noticed, it is rather possible {that a} single actor is behind a number of of the campaigns we’ve been monitoring that concentrate on Meta Enterprise accounts.”
A Vast Vary of Exercise
Whereas the campaigns have very related preliminary an infection route, the researchers acknowledged that the capabilities of the 2 payloads differ considerably:
- Ducktail is a devoted infostealer, and upon execution, it quickly steals credentials and session cookies from the native system and sends them again to the attacker. It additionally has a further Fb-focused performance, whereby if it locates a Fb Enterprise account session cookie, it’ll try so as to add the attacker to the account as an administrator.
- DarkGate is a distant entry trojan (RAT) with infostealer performance. In contrast to Ducktail, it’s stealthy, attempting to realize persistence. Additionally it is used for quite a lot of functions, together with to deploy Cobalt Strike and ransomware. DarkGate additionally seems for use by a number of unrelated actors. Nevertheless, “the DarkGate conduct which most intently resembles and overlaps with the Ducktail campaigns is more likely to be the identical Vietnamese risk actor cluster.”
The researchers have additionally linked the Lobshot and Redline Stealer malware to the identical Vietnam-based risk actors.
Robinson highlighted how the expansion of cybercrime-as-a-service (CaaS) trade has made it more durable to determine the teams behind particular campaigns.
“DarkGate has been round for a very long time and is being utilized by many teams for various functions, and never simply this group or cluster in Vietnam. The flip facet of that is that actors can use a number of instruments for a similar marketing campaign, which might obscure the true extent of their exercise from purely malware-based evaluation,” he famous.