Security News
The Vietnamese threat actors behind the Ducktail stealer malware have been linked to a new campaign that ran between March and early October 2023, targeting marketing professionals in India with an aim to hijack Facebook business accounts. Ducktail, alongside Duckport and NodeStealer, is part of a cybercrime ecosystem operating out of Vietnam, with the attackers primarily using sponsored ads on Facebook to propagate malicious ads and deploy malware capable of plundering victims' login cookies and ultimately taking control of their accounts.
Attacks leveraging the DarkGate commodity malware targeting entities in the U.K., the U.S., and India have been linked to Vietnamese actors associated with the use of the infamous Ducktail...
WithSecure researchers have tracked attacks using DarkGate malware to an active cluster of cybercriminals operating out of Vietnam. DarkGate is a remote access trojan that has been used in attacks since at least 2018 and is currently available to cybercriminals as Malware-as-a-Service.
Singapore-based infosec outfit Group-IB on Thursday released details of a new Android trojan that exploits the operating system's accessibility features to steal info that enables theft of personal information. The security research outfit wrote that the trojan, named GoldDigger, currently targets Vietnamese banking apps - but includes code suggesting its developers plan wider attacks.
A new phishing attack is leveraging Facebook Messenger to propagate messages with malicious attachments from a "Swarm of fake and hijacked personal accounts" with the ultimate goal of taking over the targets' accounts. "Originating yet again from a Vietnamese-based group, this campaign uses a tiny compressed file attachment that packs a powerful Python-based stealer dropped in a multi-stage process full of simple yet effective obfuscation methods," Guardio Labs researcher Oleg Zaytsev said in an analysis published over the weekend.
"And with businesses now leveraging the reach of social media for advertising, attackers have a new, highly-lucrative type of attack to add to their arsenal - hijacking business accounts." Cyber attacks targeting Meta Business and Facebook accounts have gained popularity over the past year, courtesy of activity clusters such as Ducktail and NodeStealer that are known to raid businesses and individuals operating on Facebook.
Vietnamese public companies have been targeted as part of an ongoing campaign that deploys a novel backdoor called SPECTRALVIPER. "SPECTRALVIPER is a heavily obfuscated, previously undisclosed, x64 backdoor that brings PE loading and injection, file upload and download, file and directory manipulation, and token impersonation capabilities," Elastic Security Labs said in a Friday report. The attacks have been attributed to an actor it tracks as REF2754, which overlaps with a Vietnamese threat group known as APT32, Canvas Cyclone, Cobalt Kitty, and OceanLotus.
A Vietnamese threat actor has been attributed as behind a "Malverposting" campaign on social media platforms to infect over 500,000 devices worldwide over the past three months to deliver variants of information stealers such as S1deload Stealer and SYS01stealer. Malverposting refers to the use of promoted social media posts on services like Facebook and Twitter to mass propagate malicious software and other security threats.
Security vendor WithSecure, which was spun out in March 2022 as F-Secure's enterprise security arm, claims it's found malware that targets Facebook Business accounts. "The malware is designed to steal browser cookies and take advantage of authenticated Facebook sessions to steal information from the victim's Facebook account and ultimately hijack any Facebook Business account that the victim has sufficient access to."
Facebook on Tuesday revealed it filed two separate legal actions against perpetrators who abused its ad platform to run deceptive advertisements in violation of the company's Terms and Advertising Policies. "In the second case, the defendants are a group of individuals located in Vietnam who got users to self-compromise their Facebook accounts and ran millions of dollars of unauthorized ads."