The DarkGate Menace: Tracing the Vietnamese Connection

A recent report from WithSecure has highlighted a surge in DarkGate malware infection attempts, targeting its Managed Detection and Response customers, notably in the U.K, the U.S., and India. As further analysis was conducted, two critical insights emerged: a Vietnamese connection and an intricate web of interlinked malware campaigns.

The Vietnamese Connection

  • Multiple Vietnamese threat groups have been found to deploy info-stealer campaigns using Malware-as-a-Service (MaaS), honing in on specific sectors or groups. Their modus operandi displays notable similarities, with recurring themes in lures and delivery methods. 
  • Furthermore, certain files used by these actors exhibit distinct metadata attributes, making them uniquely identifiable. Examples include LNK File metadata, PDFs generated using Canva, and MSI files bearing unique licensing messages. 

Interconnected web of malware

  • DarkGate is just the tip of the iceberg. Several other malware strains, such as Ducktail, Lobshot, and Redline Stealer, have been found operating in tandem. 
  • Their interconnectedness is evident in their delivery mechanisms and the lures they employ. For instance, the DarkGate and Ducktail campaigns not only share similarities in their initial infection routes but also in their intended targets and operations, suggesting a possible shared origin or collaboration among the operators. 
  • However, their functions deviate; while Ducktail is a dedicated infostealer with a specific focus, DarkGate acts as a RAT with more diverse objectives.

Why this matters

This intricate web of malware signifies a unified, organized approach, where different tools are used synergistically to achieve broader cybercriminal objectives. Such collaborations or overlaps underscore the importance of a more holistic approach to cybersecurity, where understanding one threat can shed light on several others.

The bottom line

The revelations surrounding the DarkGate malware attempts serve as a stark reminder of the evolving complexities in the cyber threat landscape. The Vietnamese connection provides insights into the origins and possible motivations behind these campaigns. As the lines between different malware and campaigns blur, it becomes imperative for organizations to stay a step ahead, continuously updating and broadening their defense mechanisms.