Vietnamese threat actors have launched new phishing attacks exploiting Facebook Messenger dubbed "MrTonyScam" to target business accounts with a Python-based stealer, according to The Hacker News.
Multiple fraudulent and compromised personal Messenger accounts have been leveraged by attackers to deliver malicious messages luring targets into clicking ZIP archive and RAR attachments, which eventually prompt the deployment of a next-stage payload containing an obfuscated Python-based stealer with browser-stored cookie and login credential exfiltration capabilities, a Guardio Labs report showed.
Attackers were also observed to have erased all cookies following exfiltration, easing account takeovers. Most impacted by the campaign were the U.S., Australia, Canada, France, and Germany.
The findings were reported just days after malvertising campaigns by Vietnamese threat actors against Meta Business and Facebook accounts were disclosed WithSecure and Zscaler ThreatLabz.
"The Vietnamese-centric element of these threats and high degree of overlaps in terms of capabilities, infrastructure, and victimology suggests active working relationships between various threat actors, shared tooling and TTPs across these threat groups, or a fractured and service-oriented Vietnamese cybercriminal ecosystem (akin to ransomware-as-a-service model) centered around social media platforms such as Facebook," said WithSecure.
