Tag Archive for: Vietnamese

Vietnamese Hackers Hit Digital Marketers With Info Stealers

/in


Anti-Phishing, DMARC
,
Endpoint Security
,
Fraud Management & Cybercrime

Under Fire: US, UK and India; Attackers Often Wield DarkGate Info-Stealing Malware

Jayant Chakravarti (@JayJay_Tech) •
October 20, 2023    

Vietnamese Hackers Hit Digital Marketers With Info Stealers
Image: Shutterstock

Cybercrime groups in Vietnam are targeting the digital marketing sector in the United Kingdom, United States and India with multiple malware strains, including the widely used DarkGate information stealer, security researchers report.

See Also: Defending Against the Rising Tide of Fraud: Resilience Strategies for Businesses


Security firm WithSecure’s Detection and Response Team said it tracked multiple Vietnamese cybercrime groups running social engineering campaigns in September, designed to trick marketing professionals into downloading malicious files masquerading as job descriptions and salary details.


Schemes used by attackers included using fake job openings at Corsair, a computer memory and hardware manufacturer, to convince individuals to download a malicious file called Job Description of Corsair.docx. They also used job openings at Indian finance company Groww as bait in India.


The Vietnam-based groups likely purchased the information-stealing malware from cybercrime marketplaces and used them interchangeably when attacking specific sectors or groups, researchers said. The malware samples used in the campaigns included the well-known DarkGate info stealer, as well as Ducktail, Lobshot and Redline.


Researchers said attackers’ tactics and choice of malware overlapped heavily, making it difficult to attribute any given…

Source…

GoldDigger Android trojan targets Vietnamese banking apps, code contains hints of wider targets • The Register

/in


Singapore-based infosec outfit Group-IB on Thursday released details of a new Android trojan that exploits the operating system’s accessibility features to steal info that enables theft of personal information.

The security research outfit wrote that the trojan, named GoldDigger, currently targets Vietnamese banking apps – but includes code suggesting its developers plan wider attacks. Between June 2023, when it spotted GoldDigger, and late August, Group-IB identified 51 financial organization applications targeted by the trojan. The security form is unsure how many devices have been infected, or how much money has been stolen.

The malware makes its way onto devices after users visit fake websites that manipulate them into downloading the app. Once installed, GoldDigger requests access to Android’s Accessibility Service – the feature designed to assist users with disabilities by allowing apps to interact with each other and modify the user interface.

Permission to use the Accessibility Service means GoldDigger can monitor and manipulate a device’s functions and view personal information such as banking app credentials and the content of SMS messages, and send that info to command-and-control servers. A code snippet found by the researchers suggests the malware attempts to bypass two factor authentication, and is designed to fool banking apps that it is making legitimate transactions.

“We have not confirmed that the Trojan operators use these capabilities at the time of writing. However, based on the behavior of other known Trojans similar to GoldDigger, we don’t think they differ significantly,” explained Group-IB.

“We are definitely observing a significant increase in the Android malware strains abusing the Accessibility Service. For Android malware trends, there is a noticeable shift away from the traditional use of web fakes,” Sharmine Low, malware analyst at Group-IB, told The Register. Low said using the Accessibility Function was a “much more invasive approach compared to generating individual web fake files for each specific target.”

GoldDigger’s developers have left clues that their ambitions may reach beyond Vietnam. The malware includes translations…

Source…

Vietnamese Hackers Reinvent the Ducktail Malware Twice in Three Months

/in


Hackers are targeting Facebook Business accounts, cryptocurrency, and credential information using a new PHP variant of the Ducktail malware. According to ZScaler, this new iteration of the malware is designed to carry out infostealing attacks like its predecessor but with certain operational differences.

Ducktail is an infostealer that originated in Vietnam a few years ago. It received upgrades in July 2022 for a new campaign to target LinkedIn users using social engineering as the vector, as documented by WithSecure.

Now, ZScaler discovered that the new PHP-based Ducktail variant shares its malicious intentions with the previous .NetCore-based variant of Ducktail, i.e., exfiltrating credentials-related information saved in web browsers, Facebook account information, and more.

The difference lies in how it approaches information theft. Instead of leveraging Telegram as the command and control (C2) channel to exfiltrate data, the PHP-based Ducktail exfiltrates and later stores stolen data on a newly-hosted website in JSON format.

The new Ducktail variant is being distributed through cracked or free versions of Office applications, games, subtitle files, porn-related files, etc., to target the general public instead of employees with specific organizational roles, indicating a shift in its usual modus operandi.

Threat actors behind the Ducktail malware are financially motivated and carefully select their targets, such as those in managerial roles or those from the finance/accounting, digital media or HR departments who may have access to an organization’s financial resources.

For instance, the malware will try to gain payment details of its victim’s Facebook Business Ads Manager and redirect them to its operators’ accounts. However, the threat actors have expanded the scope of who their victim can be, to now include the average user.

See More: Cybersecurity Awareness Month: Eight Security Insights That You Should Know

“It seems that the threat actors behind the Ducktail stealer campaign are continuously making changes or enhancements in the delivery mechanisms and approach to steal a wide variety of sensitive user and system information targeting…

Source…