Assaults leveraging the DarkGate commodity malware concentrating on entities within the U.Ok., the U.S., and India have been linked to Vietnamese actors related to using the notorious Ducktail stealer.
“The overlap of instruments and campaigns may be very doubtless because of the results of a cybercrime market,” WithSecure mentioned in a report printed immediately. “Risk actors are capable of purchase and use a number of completely different instruments for a similar goal, and all they need to do is provide you with targets, campaigns, and lures.”
The event comes amid an uptick in malware campaigns utilizing DarkGate in current months, primarily pushed by its creator’s choice to hire it out on a malware-as-a-service (MaaS) foundation to different risk actors after utilizing it privately since 2018.
It isn’t simply DarkGate and Ducktail, for the Vietnamese risk actor cluster accountable for these campaigns is leveraging similar or very related lures, themes, concentrating on, and supply strategies to additionally ship LOBSHOT and RedLine Stealer.
Assault chains distributing DarkGate are characterised by way of AutoIt scripts retrieved through a Visible Primary Script despatched by way of phishing emails or messages on Skype or Microsoft Groups. The execution of the AutoIt script results in the deployment of DarkGate.
On this case, nonetheless, the preliminary an infection vector was a LinkedIn message that redirected the sufferer to a file hosted on Google Drive, a method generally utilized by Ducktail actors.
“Very related marketing campaign themes and lures have been used to ship Ducktail and DarkGate,” WithSecure mentioned, though the operate of the final-stage differs to nice extent.
Whereas Ducktail features as a stealer, DarkGate is a distant entry trojan (RAT) with information-stealing capabilities that additionally set up covert persistence on the compromised hosts for backdoor entry.
“DarkGate has been round for a very long time and is being utilized by many teams for various functions, and never simply this group or cluster in Vietnam,” safety researcher Stephen Robinson, senior risk intelligence analyst at WithSecure, mentioned.
“The flipside of that is that actors can use a number of instruments for a similar marketing campaign, which may obscure the true extent of their exercise from purely malware-based evaluation.”