Assaults leveraging the DarkGate commodity malware concentrating on entities within the U.Okay., the U.S., and India have been linked to Vietnamese actors related to the usage of the notorious Ducktail stealer.
“The overlap of instruments and campaigns may be very doubtless as a result of results of a cybercrime market,” WithSecure stated in a report revealed in the present day. “Risk actors are in a position to purchase and use a number of completely different instruments for a similar function, and all they must do is provide you with targets, campaigns, and lures.”
The event comes amid an uptick in malware campaigns utilizing DarkGate in current months, primarily pushed by its writer’s determination to hire it out on a malware-as-a-service (MaaS) foundation to different menace actors after utilizing it privately since 2018.
It is not simply DarkGate and Ducktail, for the Vietnamese menace actor cluster chargeable for these campaigns is leveraging identical or very related lures, themes, concentrating on, and supply strategies to additionally ship LOBSHOT and RedLine Stealer.
Assault chains distributing DarkGate are characterised by means of AutoIt scripts retrieved through a Visible Fundamental Script despatched by means of phishing emails or messages on Skype or Microsoft Groups. The execution of the AutoIt script results in the deployment of DarkGate.
On this case, nevertheless, the preliminary an infection vector was a LinkedIn message that redirected the sufferer to a file hosted on Google Drive, a way generally utilized by Ducktail actors.
“Very related marketing campaign themes and lures have been used to ship Ducktail and DarkGate,” WithSecure stated, though the operate of the final-stage differs to nice extent.
Whereas Ducktail features as a stealer, DarkGate is a distant entry trojan (RAT) with information-stealing capabilities that additionally set up covert persistence on the compromised hosts for backdoor entry.
“DarkGate has been round for a very long time and is being utilized by many teams for various functions, and never simply this group or cluster in Vietnam,” safety researcher Stephen Robinson, senior menace intelligence analyst at WithSecure, stated.
“The flipside of that is that actors can use a number of instruments for a similar marketing campaign, which may obscure the true extent of their exercise from purely malware-based evaluation.”
