Attacks leveraging the DarkGate commodity malware targeting entities in the U.K., the U.S., and India have been linked to Vietnamese actors associated with the use of the infamous Ducktail stealer.
“The overlap of tools and campaigns is very likely due to the effects of a cybercrime marketplace,” WithSecure said in a report published today. “Threat actors are able to acquire and use multiple different tools for the same purpose, and all they have to do is come up with targets, campaigns, and lures.”
The development comes amid an uptick in malware campaigns using DarkGate in recent months, primarily driven by its author’s decision to rent it out on a malware-as-a-service (MaaS) basis to other threat actors after using it privately since 2018.
It’s not just DarkGate and Ducktail, for the Vietnamese threat actor cluster responsible for these campaigns is leveraging same or very similar lures, themes, targeting, and delivery methods to also deliver LOBSHOT and RedLine Stealer.
Attack chains distributing DarkGate are characterized by the use of AutoIt scripts retrieved via a Visual Basic Script sent through phishing emails or messages on Skype or Microsoft Teams. The execution of the AutoIt script leads to the deployment of DarkGate.
In this case, however, the initial infection vector was a LinkedIn message that redirected the victim to a file hosted on Google Drive, a technique commonly used by Ducktail actors.
“Very similar campaign themes and lures have been used to deliver Ducktail and DarkGate,” WithSecure said, although the function of the final-stage differs to great extent.
While Ducktail functions as a stealer, DarkGate is a remote access trojan (RAT) with information-stealing capabilities that also establish covert persistence on the compromised hosts for backdoor access.
“DarkGate has been around for a long time and is being used by many groups for different purposes, and not just this group or cluster in Vietnam,” security researcher Stephen Robinson, senior threat intelligence analyst at WithSecure, said.
“The flipside of this is that actors can use multiple tools for the same campaign, which could obscure the true extent of their activity from purely malware-based analysis.”