Vietnamese DarkGate Malware Targets META Accounts in the UK, USA, India

Cyber Security Threat Summary:
Cybersecurity firm WithSecure, has discovered a connection between recent DarkGate malware attacks targeting its clients and Vietnam-based threat actors engaged in a campaign to compromise Meta business accounts and pilfer sensitive data. WithSecure's Detection and Response Team (DRT) reported multiple DarkGate malware infection attempts against their clients' organizations in the UK, USA, and India on August 4, 2023. The attack methods closely resemble those seen in recent DuckTail infostealer campaigns, which WithSecure has been monitoring for over a year. DarkGate is a Remote Access Trojan (RAT) that surfaced in 2018, often offered as a tool for cybercriminals in various malicious activities, including cryptojacking, data theft, and ransomware attacks. Researchers analyzed open-source data related to the DarkGate malware campaign and identified links to multiple infostealers, suggesting a common threat actor behind these attacks. WithSecure's report concludes that the same threat actor group is likely responsible for these campaigns.

The attack initiated when a file titled 'Salary and new products.8.4[.]zip' was downloaded and extracted by unsuspecting users. This action triggered a VBS script that, in turn, renamed and duplicated the original Windows binary (Curl[.]exe) to a new location. The script then connected to an external server to retrieve two additional files: autoit3.exe and a compiled Autoit3 script. Subsequently, it executed the executable and assembled the DarkGate RAT by de-obfuscating strings within the script. WithSecure identified strong indicators that allowed them to establish connections between these two campaigns. They also observed that the attackers employed various malware and infostealers, including Ducktail, Redline Stealer, and Lobshot. "With what we've observed, it's highly likely that a single actor is responsible for multiple campaigns targeting Meta Business accounts," commented WithSecure Senior Threat Intelligence Analyst Stephen Robinson in a blog post. Once control of an account is obtained, malicious activities like malware distribution and fraud can occur. The lures and malicious documents used in these campaigns share identifiable metadata, including LNK Drive ID, MSI file metadata, and Canva PDF design service account details.

Security Officer Comments:
Distinctive characteristics in these markets serve as digital fingerprints that allow researchers to link different campaigns to a single actor. Nevertheless, it's crucial to understand that multiple groups could be using the same malware. This underscores the necessity for in-depth investigations to identify common attack patterns rather than relying solely on malware analysis. Stephen Robinson, Senior Threat Intelligence Analyst at WithSecure, emphasizes that DarkGate has a long history and is employed by various groups for diverse purposes, extending beyond the particular cluster in Vietnam.

Suggested Correction(s):


To ward off DarkGate and similar malware threats, organizations should maintain a state of alertness and implement robust cybersecurity measures. This includes keeping antivirus solutions current, providing cybersecurity training for employees, enforcing strong passwords with multi-factor authentication, and actively monitoring network activity for any signs of unusual behavior.