Recent cyberattacks targeting entities in the U.K., the U.S., and India have been attributed to Vietnamese threat actors leveraging DarkGate commodity malware along with the notorious Ducktail stealer. These attacks reflect a trend towards using similar tools, lures, and tactics across campaigns.
The Cybercrime Marketplace:
The overlap of tools and campaigns is attributed to the cybercrime marketplace, where threat actors acquire and deploy multiple tools for various purposes based on their chosen targets, campaigns, and lures.
DarkGate and Ducktail Exploits:
DarkGate: This malware serves as a remote access trojan (RAT) equipped with information-stealing capabilities. It establishes covert persistence on compromised hosts to allow backdoor access.
Ducktail Stealer: Ducktail operates as a stealer, primarily focused on exfiltrating sensitive data.
Attack Chains and Infection Vector:
Attack chains utilizing DarkGate typically start with AutoIt scripts received via a Visual Basic Script delivered through phishing emails or messages on platforms like Skype or Microsoft Teams. Executing the AutoIt script triggers the deployment of DarkGate.
In a recent incident, the initial infection vector was a LinkedIn message redirecting the victim to a file hosted on Google Drive—a technique commonly used by Ducktail actors.
Campaign Themes and Lures:
The Vietnamese threat actor cluster responsible for these attacks has employed strikingly similar campaign themes, lures, targeting strategies, and delivery methods for both Ducktail and DarkGate. However, the final-stage functions of the malware differ significantly.
Broader Implications:
DarkGate, a longstanding threat, is not exclusive to this Vietnamese cluster, being used by various groups for diverse purposes. This practice of employing multiple tools for a single campaign has implications for malware-based analysis, potentially obscuring the true extent of threat actors' activities.
Conclusion:
The convergence of DarkGate and Ducktail in cyberattacks signals an evolving landscape of cyber threats. Understanding the nuances and overlaps in tools and tactics employed by threat actors is crucial in fortifying defenses against such sophisticated attacks.
