DarkGate Malware Strikes UK, US, and India
In recent developments, cybersecurity experts have uncovered a series of cyberattacks originating from Vietnam, targeting the digital marketing sector in the United Kingdom, the United States, and India. These sophisticated attacks involve the use of various malware strains, with the notorious DarkGate information stealer taking center stage. Let’s delve into the details of the DarkGate Malware threats and understand the strategies employed by the attackers.
Security firm WithSecure’s Detection and Response Team has been vigilant in tracking multiple Vietnamese cybercrime groups operating social engineering campaigns. These campaigns, which occurred in September, were cleverly designed to deceive marketing professionals. The attackers tricked their victims into downloading malicious files disguised as enticing job descriptions and salary details.
Deceptive Tactics
To lure unsuspecting victims into their trap, these cybercriminals exploited the trust people place in job opportunities. They impersonated well-known companies like Corsair, a computer memory and hardware manufacturer, and Groww, an Indian finance company. By fabricating fake job openings, they managed to convince individuals to download seemingly harmless files. For example, one ploy involved a malicious file called “Job
Description of Corsair.docx,” while another exploited the job openings at Groww in India.
Malware Arsenal
The cybercrime groups behind these attacks appear to have obtained various information-stealing malware from cybercrime marketplaces. They deployed these tools interchangeably, making it challenging to attribute a specific campaign to a particular group. The malware arsenal included DarkGate, Ducktail, Lobshot, and Redline, among others.
Attribution Challenges
Despite the various strategies and software used in these attacks, the unifying thread connecting them is their Vietnamese origin. Attribution in the cyber realm can be difficult since threat actors might use various technologies for the same aim while creating fresh targets, campaigns, and lures. As a result, tracking their activities solely through the technologies they utilize provides only a limited picture of their behaviors.
Lack of Sophistication
Notably, the individual attackers or groups behind these campaigns did not exhibit a high level of sophistication. They appeared to have a considerable appetite for risk, as they made little effort to conceal their activities. Security researchers could easily scrutinize metadata contained in .lnk, .pdf, and .msi files used in the campaign, revealing information about the code’s creators, identification numbers for hard drives, and file creation timestamps and locations.
The DarkGate Malware
In early August, WithSecure’s vigilant team detected Vietnamese hackers attempting to inject the DarkGate information stealer into a compromised Windows device. To carry out this nefarious plan, the hackers enticed their victims into downloading an archive file named “Salary and new products.8.4.zip.”
Inside this seemingly harmless archive, a malicious VBS script lurked, designed to run an AutoIT scripting tool, which, in turn, executed the DarkGate remote access Trojan code. Therefore, conducting a thorough DarkGate malware analysis is essential to understand its functionality and potential threats.
DarkGate’s Infamous History
DarkGate first surfaced on the radar of security researchers in 2017 when cybercriminals were using it for various malicious activities. These included keylogging, privilege escalation, cryptocurrency mining, data theft from web browsers, and serving as a “dropper” to install additional malware, including remote access to malicious DarkGate software.
DarkGate is renowned for its compact build size and its capability to gain high-level permissions on compromised systems while obfuscating payloads to evade antivirus detection. Effective DarkGate malware detection is crucial for safeguarding your digital assets.
Widespread Availability
DarkGate continues to remain readily available and in use. In a disconcerting development, a Russian cybercrime forum user known as “RastaFarEye” advertised DarkGate on a cybercrime forum. The malware was priced at $100,000 per year, $15,000 per month, or $1,000 per day, as reported by security firm Zerofox. Following this, security researchers observed a significant increase in DarkGate infections across the Americas, Middle East, Asia, and Africa.
Phishing via Microsoft Teams
In September, a group of cybercriminals leveraged HR-themed social engineering chat messages on Microsoft Teams to distribute the DarkGate malware. These attackers compromised Office 365 accounts to send phishing messages containing a SharePoint-hosted file named “Changes to the vacation schedule.zip.”
Clever Deception
Another clever tactic used by the attackers involved a compromised Skype account. They transmitted the DarkGate malware via a deceptive VBS script named “filename.pdf.” The recipients, under the impression that they were downloading a legitimate PDF file, unwittingly allowed the malware into their systems.
LinkedIn as a Weapon
In the campaigns associated with Vietnamese attackers, LinkedIn served as a platform for distributing malicious .zip files to victims via direct messages. One such message directed victims to a URL, hxxps://g2.by/jd-Corsair, which, when visited, redirected to a malicious file hosted on Google Drive.
A Multifaceted Threat
As Stephen Robinson, a senior threat intelligence analyst at WithSecure, emphasizes, DarkGate’s longevity and versatility are alarming. It continues to be utilized by various groups for different purposes, extending beyond the confines of the Vietnamese attackers. This multifaceted nature underscores the challenge of assessing the full scope of cyber activities based solely on the malware used.
Ducktail’s Intriguing Functionality
In a separate incident in July, the same group of attackers infected the devices of individuals and employees who had access to Facebook Business accounts using the Ducktail information stealer. Notably, Ducktail includes an additional function targeting Facebook Business accounts. If it locates a Facebook Business account session cookie, it attempts to add the attacker as an administrator. This functionality underscores the highly automated nature of contemporary malware.
Conclusion
The DarkGate malware and its associated cybercrime groups continue to pose a significant threat on a global scale. While these attackers may lack sophistication in their methods, their brazenness and adaptability make them formidable adversaries. Staying vigilant, protecting against DarkGate malware, and investing in robust cybersecurity measures remain crucial in safeguarding digital assets against this evolving menace.
The sources for this piece include articles in The Hacker News and GOVInfoSecurity.