Vietnamese cybercrime groups are actively targeting digital marketing professionals in the US, UK, and India using a variety of malware strains, with the widely known DarkGate information stealer being a prominent tool of choice.
Furthermore, these attackers run social engineering campaigns aimed at tricking marketing experts into downloading malicious files disguised as job descriptions or salary details. The schemes used include fake job openings at companies like Corsair and Groww, with the attackers purchasing information-stealing malware from cybercrime marketplaces. Researchers noted that the attackers, despite a lack of sophistication, did not attempt to hide their efforts, allowing for the easy discovery of metadata that could identify them.
The DarkGate info stealer played a key role in these attacks, with the hackers deploying it onto compromised Windows devices. The victims were lured into downloading a malicious archive file that executed the DarkGate remote access Trojan code. DarkGate, first spotted in 2017, is known for its ability to perform various malicious actions, including keylogging, privilege escalation, cryptocurrency mining, and evading antivirus tools. Notably, the malware has remained accessible and has seen a resurgence, particularly in the Americas, Middle East, Asia, and Africa.
The attackers demonstrated a high level of automation in their malware campaigns, with the use of DarkGate spanning various purposes and not limited to a single group in Vietnam. Similar tactics and tools were used to infect the devices of individuals and employees who had access to Facebook Business accounts. The attackers continue to adapt their techniques, highlighting the evolving and sophisticated nature of contemporary cyber threats.