WithSecure researchers have tracked attacks using DarkGate malware to an active cluster of cybercriminals operating out of Vietnam.
DarkGate is a Remote Access Trojan (RAT) that has been used in attacks since at least 2018 and is currently available to cybercriminals as Malware-as-a-Service (MaaS). It has a diverse user base and a variety of capabilities. It has been observed in information stealing, cryptojacking, and ransomware campaigns.
WithSecure researchers began their investigation into DarkGate after detecting multiple infection attempts against organisations in the UK, US, and India.
Based on non-technical indicators such as lure files, themes, targeting, and delivery methods researchers were able to tie these attempted attacks back to the same threat actors using the Ducktail infostealer that WithSecure researchers have been tracking for approximately the last 18 months.
“The DarkGate attacks we observed have very strong identifiers – identifiers which allowed us to establish links between these attacks and others we’ve seen using different infostealers and malware, including Ducktail,” says Stephen Robinson, WithSecure senior threat intelligence analyst. “Based on what we’ve observed, it is very likely that a single actor is behind several of the campaigns we’ve been tracking that target Meta Business accounts.”
Other types of malware researchers tied to the same threat actors include Ducktail, Lobshot, and Redline Stealer.
Lures and malicious files used by the group’s different campaigns have the following identifiable metadata:
* LNK Drive ID.
* Canva PDF design service account details.
* MSI file metadata.
According to Robinson, the growth of cybercrime services that can be purchased by different threat actors has created a situation where specific tools used in attacks can no longer tell defenders who their adversaries are.
“DarkGate has been around for a long time and is being used by many groups for different purposes – and not just this group or cluster in Vietnam,” Robinson says. “The flipside of this is that actors can use multiple tools for the same campaign which could obscure the true extent of their activity from purely malware-based analysis.”