October 20, 2023 at 10:09AM
Vietnamese actors linked to the Ducktail stealer have been using DarkGate malware to target entities in the UK, US, and India. The increase in DarkGate campaigns is attributed to the decision to rent it out on a malware-as-a-service basis. The campaigns also involve LOBSHOT and RedLine Stealer, with similar tactics and delivery methods. DarkGate is a remote access trojan with information-stealing capabilities.
Key Takeaways from Meeting Notes:
1. DarkGate, a commodity malware, is being used in cyber attacks targeting entities in the U.K., the U.S., and India. These attacks have been linked to Vietnamese actors associated with Ducktail stealer.
2. The overlap of tools and campaigns suggests the involvement of a cybercrime marketplace, where threat actors can acquire and use multiple tools for different purposes.
3. The use of DarkGate in malware campaigns has increased due to its availability for rent on a malware-as-a-service (MaaS) basis.
4. The Vietnamese threat actor cluster responsible for these campaigns is also using LOBSHOT and RedLine Stealer with similar lures, themes, targeting, and delivery methods.
5. DarkGate is distributed through the use of AutoIt scripts retrieved via phishing emails, Skype, or Microsoft Teams messages. The execution of the scripts leads to the deployment of DarkGate.
6. In this particular case, the initial infection vector was a LinkedIn message redirecting the victim to a file hosted on Google Drive, a technique commonly used by Ducktail actors.
7. While Ducktail functions as a stealer, DarkGate is a remote access trojan (RAT) with information-stealing capabilities.
8. DarkGate has been used by various groups for different purposes, making it difficult to analyze the true extent of their activity through malware-based analysis.
For more exclusive content, you can follow the source on Twitter and LinkedIn.