Cybercrime groups in Vietnam are targeting the digital marketing sector in the United Kingdom, United States and India with multiple malware strains, including the widely used DarkGate information stealer, security researchers report.

See Also: Combatting the Surge in Fraud: Strategies for Business Resilience

Security firm WithSecure’s Detection and Response Team said it tracked multiple Vietnamese cybercrime groups running social engineering campaigns in September, designed to trick marketing professionals into downloading malicious files masquerading as job descriptions and salary details.

Schemes used by attackers included using fake job openings at Corsair, a computer memory and hardware manufacturer, to convince individuals to download a malicious file called Job Description of Corsair.docx. They also used job openings at Indian finance company Groww as bait in India.

The Vietnam-based groups likely purchased the information-stealing malware from cybercrime marketplaces and used them interchangeably when attacking specific sectors or groups, researchers said. The malware samples used in the campaigns included the well-known DarkGate info stealer, as well as Ducktail, Lobshot and Redline.

Researchers said attackers’ tactics and choice of malware overlapped heavily, making it difficult to attribute any given campaign to a specific group. But the common thread remains attackers’ Vietnamese origin.

“Threat actors are able to acquire and use multiple different tools for the same purpose, and all they have to do is come up with targets, campaigns and lures,” WithSecure researchers said. “As such, if you were to track their activity purely by a tool they are using, you would see only a subset of their activity.”

The company also said the individual attackers or groups did not demonstrate much sophistication and appear to have a high appetite for risk, given that they made no effort to camouflage their efforts. Researchers said they were able to easily review the metadata contained in .lnk, .pdf and .msi files used in the campaign and determine who had created the code, as well as identification numbers for hard drives, and file creation time and location.

DarkGate Infections

In the first week of August, WithSecure detected Vietnamese hackers attempting to inject the DarkGate info stealer onto a compromised Windows device. The hackers lured the victim into downloading an archive file called Salary and new products.8.4.zip that contained a malicious VBS script, they said, designed to run an AutoIT scripting tool. That script executed the DarkGate remote access Trojan code.

Security researchers first spotted the off-the-shelf DarkGate malware in 2017 when it was being used by cybercriminals to perform a range of actions, including keylogging, privilege escalation, cryptocurrency mining, stealing information from browsers and as a “dropper” to install additional malware, including remote access software. The remote access tool is known for its small build size and its ability to gain high-level permissions on compromised machines and obfuscate payloads to avoid detection by antivirus tools.

DarkGate appears to remain widely available and used. In June, a Russian cybercrime forum user with the handle “RastaFarEye” advertised DarkGate on a cybercrime forum, pricing the malware at $100,000 per year, $15,000 per month or $1,000 per day, security firm Zerofox reported. Since then, security researchers have seen a sharp rise in DarkGate infections across the Americas, Middle East, Asia and Africa.

In September, a group of cybercriminals used HR-themed social engineering chat messages on Microsoft Teams to deliver the malware, Swedish cybersecurity company TrueSec reported. The attackers compromised Office 365 accounts to send phishing messages that contained a SharePoint-hosted file named Changes to the vacation schedule.zip (see: DarkGate Malware Operators on a Phishing Spree).

In another attack, attackers used a compromised Skype account to transmit the DarkGate malware through a deceptive VBS script named filename.pdf to make recipients believe they were downloading a legitimate PDF file, Trend Micro said in an Oct. 12 report.

Researchers at WithSecure said that in the campaigns tied to Vietnamese attackers, the attackers used LinkedIn to send malicious .zip files to victims via direct messages. One of these messages directed the victim to the URL hxxps://g2.by/jd-Corsair, which if visited, would redirect to a malicious file hosted on Google Drive.

“DarkGate has been around for a long time and is being used by many groups for different purposes – and not just this group or cluster in Vietnam,” said Stephen Robinson, a senior threat intelligence analyst at WithSecure. “The flip side of this is that actors can use multiple tools for the same campaign, which could obscure the true extent of their activity from purely malware-based analysis.”

Robinson said the same attackers used similar tactics in July to infect the devices of individuals and employees who had access to Facebook Business accounts with the Ducktail info stealer. “Ducktail has an additional Facebook Business account-focused function whereby if it locates a Facebook Business account session cookie, it will attempt to add the attacker to the account as an administrator,” WithSecure said in a blog post.

Highlighting the often highly automated nature of contemporary malware, WithSecure said Ducktail also “has functionality to automatically create and publish fraudulent ad campaigns sent by the actor to the compromised device.”