WithSecure, a corporate cyber security solutions vendor, have been tracking the activity of Vietnamese based cybercrime groups who are primarily focused on targeting the digital marketing industry within the UK, United States, and India.

Malware being used in these attacks are notably DarkGate, Ducktail, Lobshot, and Redline stealer.

Analysis of the campaigns identified by WithSecure indicates that threat actors are utilising multiple different infostealers in an attempt to capture victim sensitive information for financial gain.

Amongst these campaigns were a number of malware variants including the notorious RedLine stealer, one of the most employed strains of all time.

However, it is DarkGate which is the current focus of concern, in conjunction with the different vectors being used to infect unbeknown victims.

DarkGate malware has recently been reported due to increased prevalence and the threat this remote access trojan poses. Concerns relating to the threat are due to how flexible the strain is, with its behaviours facilitating the deployment of cobalt strike and ransomware.

This versatility has contributed towards its availability and attractiveness to threat actors by catering to a variety of tasks.

Due to being adopted as a tool of choice amongst different threat actors, the initial phases of the attack chain also contains various levels of activity.

It was originally reported that DarkGate was spreading via PDF documents through Microsoft Teams and Skype, yet the investigations from WithSecure have uncovered yet more vectors.

These involve the use of Facebook business accounts and through direct messages on LinkedIn which navigate the user to websites hosting the malicious content on a Google Drive.

The infections occurring via LinkedIn have displayed close ties to campaigns spreading the Ducktail infostealer.

The National Management Centre’s Threat Intelligence (TI) team frequently identify phishing attacks targeting personnel. When analysed, there is a strong correlation between the details on LinkedIn for the recipient and those of the spoofed senders’ details.

This is indicative of reconnaissance and social engineering by the threat actor to craft these spearphishing emails.

Therefore, organisations are encouraged to educate employees against connecting with unknown people on LinkedIn, and to be particularly careful when accessing URLs sent via direct messages on the app since it is a proven attack vector to gather information against forces and the threat is clearly now linked to direct malware infection attempts.

Train your staff with Security Awareness Training

Employees are a company's greatest asset but are targeted by increasingly sophisticated scams. With security awareness training, your staff can become highly effective barriers to cyber crime.​

Our security awareness training helps staff understand their working environment, giving them the confidence to speak up when something doesn’t look right.

Contact us to enquire about the training.

Reporting

Report all Fraud and Cybercrime to Action Fraud by calling 0300 123 2040 or online. Forward suspicious emails to report@phishing.gov.uk. Report SMS scams by forwarding the original message to 7726 (spells SPAM on the keypad).