WithSecure researchers have tracked attacks using DarkGate malware to an active cluster of cybercriminals operating out of Vietnam.
DarkGate is a Remote Access Trojan (RAT) that has been used in attacks since at least 2018 and is currently available to cybercriminals as Malware-as-a-Service (MaaS). It has a diverse user base and a variety of capabilities. It has been observed in information stealing, cryptojacking and ransomware campaigns.
WithSecure researchers began their investigation into DarkGate after detecting multiple infection attempts against organisations in the UK, US and India.
Based on non-technical indicators, such as lure files, themes, targeting and delivery methods, researchers were able to tie these attempted attacks back to the same threat actors using the Ducktail infostealer that WithSecure researchers have been tracking for approximately the last year and half.
“The DarkGate attacks we observed have very strong identifiers — identifiers which allowed us to establish links between these attacks and others we’ve seen using different infostealers and malware, including Ducktail. Based on what we’ve observed, it is very likely that a single actor is behind several of the campaigns we’ve been tracking that target Meta Business accounts,” said WithSecure Senior Threat Intelligence Analyst, Stephen Robinson.