Vietnam-based cybercriminals are believed to be behind to attacks using DarkGate malware, which have targeted organizations in the UK, US and India since 2018.
WithSecure researchers have tracked these attacks to an active cluster of cybercriminals using the Ducktail infostealer, which has been used in recent campaigns targeting Meta business accounts.
The DarkGate and Ducktail campaigns have been linked together based on non-technical indicators observed by the researchers. These include lure files, themes, targeting and delivery methods. For example, the initial vector is frequently a LinkedIn message, which redirects the victim to a malicious file on Google Drive.
WithSecure also analyzed associated metadata, including LNK File metadata, PDFs created using the Canva design service/tool and MSI files created using an unlicensed version of EXEMSI.
WithSecure Senior Threat Intelligence Analyst Stephen Robinson, commented: “The DarkGate attacks we observed have very strong identifiers which allowed us to establish links between these attacks and others we’ve seen using different infostealers and malware, including Ducktail. Based on what we’ve observed, it is very likely that a single actor is behind several of the campaigns we’ve been tracking that target Meta Business accounts.”
A Wide Range of Activity
While the campaigns have very similar initial infection route, the researchers acknowledged that the functions of the two payloads differ significantly:
- Ducktail is a dedicated infostealer, and upon execution, it rapidly steals credentials and session cookies from the local device and sends them back to the attacker. It also has an additional Facebook-focused functionality, whereby if it locates a Facebook Business account session cookie, it will attempt to add the attacker to the account as an administrator.
- DarkGate is a remote access trojan (RAT) with infostealer functionality. Unlike Ducktail, it is stealthy, trying to achieve persistence. It is also used for a variety of purposes, including to deploy Cobalt Strike and ransomware. DarkGate also appears to be used by multiple unrelated actors. However, “the DarkGate behavior which most closely resembles and overlaps with the Ducktail campaigns is likely to be the same Vietnamese threat actor cluster.”
The researchers have also linked the Lobshot and Redline Stealer malware to the same Vietnam-based threat actors.
Robinson highlighted how the growth of cybercrime-as-a-service (CaaS) industry has made it harder to identify the groups behind specific campaigns.
“DarkGate has been around for a long time and is being used by many groups for different purposes, and not just this group or cluster in Vietnam. The flip side of this is that actors can use multiple tools for the same campaign, which could obscure the true extent of their activity from purely malware-based analysis,” he noted.