DarkGate Malware Campaigns Linked to Vietnam-Based Cybercriminals | CPT PPP Coverage
Cryptopolytech (CPT) Public Press Pass (PPP)
News of the Day COVERAGE
200000048 – World Newser
•| #World |•| #Online |•| #Media |•| #Outlet |
View more Headlines & Breaking News here, as covered by cryptopolytech.com
DarkGate Malware Campaigns Linked to Vietnam-Based Cybercriminals appeared on www.infosecurity-magazine.com by Infosecurity Magazine.
Vietnam-based cybercriminals are believed to be behind to attacks using DarkGate malware, which have targeted organizations in the UK, US and India since 2018.
WithSecure researchers have tracked these attacks to an active cluster of cybercriminals using the Ducktail infostealer, which has been used in recent campaigns targeting Meta business accounts.
The DarkGate and Ducktail campaigns have been linked together based on non-technical indicators observed by the researchers. These include lure files, themes, targeting and delivery methods. For example, the initial vector is frequently a LinkedIn message, which redirects the victim to a malicious file on Google Drive.
WithSecure also analyzed associated metadata, including LNK File metadata, PDFs created using the Canva design service/tool and MSI files created using an unlicensed version of EXEMSI.
WithSecure Senior Threat Intelligence Analyst Stephen Robinson, commented: “The DarkGate attacks we observed have very strong identifiers which allowed us to establish links between these attacks and others we’ve seen using different infostealers and malware, including Ducktail. Based on what we’ve observed, it is very likely that a single actor is behind several of the campaigns we’ve been tracking that target Meta Business accounts.”
A Wide Range of Activity
While the campaigns have very similar initial infection route, the researchers acknowledged that the functions of the two payloads differ significantly:
- Ducktail is a dedicated infostealer, and upon execution, it rapidly steals credentials and session cookies from the local device and sends them back to the attacker. It also has an additional Facebook-focused functionality, whereby if it locates a Facebook Business account session cookie, it will attempt to add the attacker to the account as an administrator.
- DarkGate is a remote access trojan (RAT) with infostealer functionality. Unlike Ducktail, it is stealthy, trying to achieve persistence. It is also used for a variety of purposes, including to deploy Cobalt Strike and ransomware. DarkGate also appears to be used by multiple unrelated actors. However, “the DarkGate behavior which most closely resembles and overlaps with the Ducktail campaigns is likely to be the same Vietnamese threat actor cluster.”
The researchers have also linked the Lobshot and Redline Stealer malware to the same Vietnam-based threat actors.
Robinson highlighted how the growth of cybercrime-as-a-service (CaaS) industry has made it harder to identify the groups behind specific campaigns.
“DarkGate has been around for a long time and is being used by many groups for different purposes, and not just this group or cluster in Vietnam. The flip side of this is that actors can use multiple tools for the same campaign, which could obscure the true extent of their activity from purely malware-based analysis,” he noted.
FEATURED ‘News of the Day’, as reported by public domain newswires.
View ALL Headlines & Breaking News here.
Source Information (if available)
This article originally appeared on www.infosecurity-magazine.com by Infosecurity Magazine – sharing via newswires in the public domain, repeatedly. News articles have become eerily similar to manufacturer descriptions.
We will happily entertain any content removal requests, simply reach out to us. In the interim, please perform due diligence and place any content you deem “privileged” behind a subscription and/or paywall.
CPT (CryptoPolyTech) PPP (Public Press Pass) Coverage features stories and headlines you may not otherwise see due to the manipulation of mass media.
First to share? If share image does not populate, please close the share box & re-open or reload page to load the image, Thanks!