Vietnamese threat actor clusters are using Malware as a Service infostealers and RATs (DarkGate, Ducktail, Lobshot, Redline stealer) to hit the digital marketing sector, with a strong focus on Facebook Business accounts. The campaigns show heavy overlap in lure themes and delivery methods, suggesting a closely related operator group and a broader e-crime ecosystem in which multiple actors share tooling. Hashtags: #DarkGate #Ducktail
Keypoints
- Vietnamese threat actors operate MaaS/Commodity Malwares as part of coordinated infostealer/RAT campaigns targeting marketing-related entities.
- Campaigns revolve around DarkGate, Ducktail, Lobshot, and Redline Stealer, with substantial tool/technique overlap implying a single actor cluster.
- Initial infections often begin with lure documents and social‑engineered lures (LinkedIn messages) leading to external hosts (g2.by) and drive-based payloads.
- DarkGate tends to be a stealthy RAT with infostealer capabilities; Ducktail is a more explicit infostealer with Facebook Business account abuse features.
- Metadata and delivery artifacts (Canva-generated PDFs, MSI Wrapper, unregistered MSI packaging) serve as distinctive fingerprints for attribution and defender detection.
MITRE Techniques
- [T1566.002] Spearphishing Link – The initial vector was a LinkedIn message which directed the victim to hxxps://g2[.]by/jd-Corsair, which then redirected the victim to a file hosted on Google Drive. ‘The initial vector was a LinkedIn message which directed the victim to hxxps://g2[.]by/jd-Corsair, which then redirected the victim to a file hosted on Google Drive.’
- [T1059.005] Visual Basic – The archive contained a VBS script which copied the legitimate windows binary curl.exe to a new location. ‘The archive contained a VBS script which copied the legitimate windows binary curl.exe to a new location.’
- [T1105] Ingress Tool Transfer – The script downloaded two files, autoit3.exe and a compiled Autoit3 script. ‘download two files, autoit3.exe and a compiled Autoit3 script.’
- [T1140] Deobfuscate/Decode Files or Information – The script was de-obfuscated and constructed the DarkGate RAT from strings contained within the body of the script. ‘The script de-obfuscated and constructed the DarkGate RAT from strings contained within the body of the script.’
- [T1562.001] Impair Defenses – The malware attempted to uninstall the WithSecure agent from the device. ‘Thirty seconds after the initial install the malware attempted to uninstall the WithSecure agent from the device.’
- [T1036] Masquerading – Use of MSI Wrapper with an unregistered version and branding like ‘MSI Wrapper (10.0.51.0)’ and ‘Application Verifier x64 External Package – UNREGISTERED – Wrapped using MSI Wrapper from www.exemsi’. ‘Application Verifier x64 External Package – UNREGISTERED – Wrapped using MSI Wrapper from www.exemsi’
- [T1204.002] User Execution – LNK files execute commands to connect to DarkGate C2 servers and download an MSI. ‘LNK files include a variety of metadata … All of the LNK files in the below table connect to hxxp://5.188.87[.]58:2351/ and download an MSI file.’
Indicators of Compromise
- [IP Addresses] 117.0.194[.]195, 149.248.0[.]82 – C2s/hosting for campaigns (plus many others listed in the report)
- [Domains] alianzasuma[.]com – Malicious, sanibroadbandcommunicton.duckdns[.]org
- [File hashes] 2c6af12f603743fcc3effdc24783c969c906816960fbfbf012974fc04722a679, e0d1b1b166ba025c918335b3733d908bb89ecbce776ee273941bfa38acbba765 – examples from LNK and dropper artifacts (and 2 more hashes)
- [File names] Redline.exe; Fbads.exe; JOB_DESCRIPTION_ECOMMERCE_MARKETING_MANAGER.pdf
- [URLs] hxxp://149.248.0[.]82:2351/msiyfucokvo; hxxp://149.248.0[.]82:2351/yfucokvo; hxxps://docs.google[.]com; hxxps://dl.dropboxusercontent[.]com/…
- [LNK Metadata] Drive serial number: 10DA-4067; Machine ID: win-r3rim0p93dd
- [MSI Wrapper] MSI Wrapper (10.0.51.0); Subject: “Application Verifier x64 External Package – UNREGISTERED – Wrapped using MSI Wrapper from www.exemsi”
Read more: https://labs.withsecure.com/publications/darkgate-malware-campaign