Assaults leveraging the DarkGate commodity malware concentrating on entities within the U.Okay., the U.S., and India have been linked to Vietnamese actors related to using the notorious Ducktail stealer.
“The overlap of instruments and campaigns could be very doubtless as a result of results of a cybercrime market,” WithSecure stated in a report revealed in the present day. “Risk actors are capable of purchase and use a number of completely different instruments for a similar function, and all they need to do is give you targets, campaigns, and lures.”
The event comes amid an uptick in malware campaigns utilizing DarkGate in latest months, primarily pushed by its writer’s choice to hire it out on a malware-as-a-service (MaaS) foundation to different risk actors after utilizing it privately since 2018.
It isn’t simply DarkGate and Ducktail, for the Vietnamese risk actor cluster answerable for these campaigns is leveraging similar or very related lures, themes, concentrating on, and supply strategies to additionally ship LOBSHOT and RedLine Stealer.
Assault chains distributing DarkGate are characterised by way of AutoIt scripts retrieved through a Visible Fundamental Script despatched by way of phishing emails or messages on Skype or Microsoft Groups. The execution of the AutoIt script results in the deployment of DarkGate.
On this case, nonetheless, the preliminary an infection vector was a LinkedIn message that redirected the sufferer to a file hosted on Google Drive, a way generally utilized by Ducktail actors.
“Very related marketing campaign themes and lures have been used to ship Ducktail and DarkGate,” WithSecure stated, though the operate of the final-stage differs to an awesome extent.
Whereas Ducktail capabilities as a stealer, DarkGate is a distant entry trojan (RAT) with information-stealing capabilities that additionally establishes covert persistence on the compromised hosts for backdoor entry.
“DarkGate has been round for a very long time and is being utilized by many teams for various functions, and never simply this group or cluster in Vietnam,” safety researcher Stephen Robinson, senior risk intelligence analyst at WithSecure, stated.
“The flipside of that is that actors can use a number of instruments for a similar marketing campaign, which might obscure the true extent of their exercise from purely malware-based evaluation.”