Article Details
Scrape Timestamp (UTC): 2023-10-20 13:33:32.058
Source: https://thehackernews.com/2023/10/vietnamese-hackers-target-uk-us-and.html
Original Article Text
Click to Toggle View
Vietnamese Hackers Target U.K., U.S., and India with DarkGate Malware. Attacks leveraging the DarkGate commodity malware targeting entities in the U.K., the U.S., and India have been linked to Vietnamese actors associated with the use of the infamous Ducktail stealer. "The overlap of tools and campaigns is very likely due to the effects of a cybercrime marketplace," WithSecure said in a report published today. "Threat actors are able to acquire and use multiple different tools for the same purpose, and all they have to do is come up with targets, campaigns, and lures." The development comes amid an uptick in malware campaigns using DarkGate in recent months, primarily driven by its author's decision to rent it out on a malware-as-a-service (MaaS) basis to other threat actors after using it privately since 2018. It's not just DarkGate and Ducktail, for the Vietnamese threat actor cluster responsible for these campaigns is leveraging same or very similar lures, themes, targeting, and delivery methods to also deliver LOBSHOT and RedLine Stealer. Attack chains distributing DarkGate are characterized by the use of AutoIt scripts retrieved via a Visual Basic Script sent through phishing emails or messages on Skype or Microsoft Teams. The execution of the AutoIt script leads to the deployment of DarkGate. In this case, however, the initial infection vector was a LinkedIn message that redirected the victim to a file hosted on Google Drive, a technique commonly used by Ducktail actors. "Very similar campaign themes and lures have been used to deliver Ducktail and DarkGate," WithSecure said, although the function of the final-stage differs to great extent. While Ducktail functions as a stealer, DarkGate is a remote access trojan (RAT) with information-stealing capabilities that also establish covert persistence on the compromised hosts for backdoor access. "DarkGate has been around for a long time and is being used by many groups for different purposes, and not just this group or cluster in Vietnam," security researcher Stephen Robinson, senior threat intelligence analyst at WithSecure, said. "The flipside of this is that actors can use multiple tools for the same campaign, which could obscure the true extent of their activity from purely malware-based analysis."
Daily Brief Summary
Vietnamese cyber actors are suspected to be behind a series of attacks using DarkGate commodity malware, primarily targeting entities in the UK, the US, and India; Ducktail stealer is another malware associated with these actors.
Cybersecurity firm WithSecure reports that there has been an increase in campaigns using the DarkGate malware, driven by the developer's decision to rent the malware to other threat actors.
Overlapping tools, campaigns, and malware indicate the existence of an active cybercrime marketplace where threat actors can obtain and utilize multiple different tools for a single purpose.
The tactics, techniques, and procedures utilized by the Vietnamese actors include delivering DarkGate through AutoIt scripts fetched via phishing emails or messages on Skype or Microsoft Teams.
The initial infection vector in a recent attack was a LinkedIn message that redirected the receiver to a file on Google Drive, a method commonly used by Ducktail actors.
DarkGate has the capabilities of a remote access trojan (RAT) and can steal information and establish a backdoor for accessing compromised hosts.
Multiple tools used in the same campaign could potentially obscure the true extent of the activity from purely malware-based analysis.