Last week, security researchers from WithSecure have released a report highlighting a worrying malware campaign.
According to the document, it is a combination of several malicious agents, including the infamous one DarkGateuseful for infecting victims via RAT (Remote Access Trojan) and various infostealer come Duck tail, Redline e Lobshot.
DarkGate is malware Windows capable of carrying out various actions, such as cryptocurrency mining and the credential theft. For his part, Ducktail is used to steal Facebook business accountsRedline to collect information about the infected device and Lobshot is a stealthy remote access malware.
The campaign therefore turns out to be a very dangerous mix of malware which, according to experts, is also difficult to attribute to a specific group of hackers. In general, in fact, it is thought that the operation was the work of a gang from Vietnam.
Stephen Robinsonsenior threat intelligence analyst at WithSecure, said that based on the team’s observations, it is highly likely that a single actor is responsible for multiple campaigns identified in recent months.
Malicious actors have used tactics of social engineering to infect targets, with most operations strategically designed to deceive the professionals of the marketing digital tricking them into downloading malicious files disguised as job descriptions and salary details.
DarkGate, increasingly frequent cases: United Kingdom, India and other countries in the crosshairs
Attack chains related to the distribution of DarkGate are characterized by the use of AutoIt scripts, obtained via one script Visual Basic sent via email or messages phishing on platforms like Skype o Microsoft Teams.
In the UK, attackers have lured victims by offering fake job offers at Corsair, a well-known manufacturer of computer memory and hardware. Victims were tricked into downloading a file named Job Description of Corsair.docxwhich actually contained malware.
A similar strategy has been adopted in India, using job offers at the finance company as bait groww.
According to research findings, individual attackers or groups showed limited sophistication of attacks, not caring much about evading security systems.
Experts said they were able to easily examine the metadata within the files .LNK, .PDF e .MSI used in the campaign, which allowed them to understand the flow of operations.
Researchers have warned that by obtaining credentials associated with corporate advertising accounts, threat actors can take control of these accounts and run unauthorized advertising campaigns.