Threat Intelligence, Malware, Security Staff Acquisition & Development, Application security

Hackers target US Facebook biz accounts with potent malware cocktail

Facebook Business

A cybercrime group based in Vietnam is targeting English-language Facebook business accounts in a malicious campaign targeting digital marketing firms based in the U.S., UK and India, warned a Friday report.  

The adversary is using the popular malware DarkGate in conjunction with malware as a service (MaaS) toolkits to infect victims with remote access trojans (RATs) and additional info-stealing malware such as Ducktail, Lobshot and Redline, according to the report authored by WithSecure.

While the research focuses on one threat group, the report said the adversary is part of a larger mix of Vietnamese hackers. WithSecure said the malware used by unnamed adversary is part of a “closely related cluster” of threat groups connected by the use of similar MaaS tools and commodity malware.

“Based on what we’ve observed, it is very likely that a single actor is behind several of the campaigns we’ve been tracking that target Meta Business accounts,” said WithSecure senior threat intelligence analyst Stephen Robinson.   

Hijacking Facebook business accounts is their primary goals, he said.

WithSecure said it identified the unnamed threat group after an 18-month analysis of lure files and delivery methods and details of the organizations targeted.

Different tools, same bad guys

“The DarkGate attacks we observed have very strong identifiers – identifiers which allowed us to establish links between these attacks and others we’ve seen using different infostealers and malware, including Ducktail,” Robinson said.

In July last year WithSecure first reported on an operation using the malware it dubbed Ducktail that targeted Meta’s Business platform to steal Facebook corporate and advertising account information.

By stealing credentials linked to business ad accounts, threat actors can hijack the accounts to run unauthorized ad campaigns.

Click for more special coverage

“DarkGate (malware) has been around for a long time and is being used by many groups for different purposes, and not just this group or cluster in Vietnam,” Robinson said.

“The flipside of this is that actors can use multiple tools for the same campaign, which could obscure the true extent of their activity from purely malware-based analysis.”

Although DarkGate dates back to 2017, researchers have observed a spike in its distribution this year after its developer, who goes by the handle “RastaFarEye” on the dark web, began offering it for lease on a MaaS basis.

Cybercrime in Vietnam

While Vietnam-based threat groups don’t attract as much attention as their counterparts in the likes of China, Russia or North Korea, the nation does have a vibrant cybercriminals ecosystem.

The country’s threat groups include both financially motivated and espionage-focused actors, the most well-known of which is APT-32 (also known as Ocean Lotus).

“APT32 use a combination of custom-developed, open-source, and commercially available tooling. This is alongside of more traditional phishing for their initial access into an organization,” said Josh Lemon, Uptycs’ managed detection and response team director.

“They are known to target foreign governments and the private sector within Vietnam and internationally, along with journalists, activists, and dissidents. They were very active during 2020, targeting China for intelligence related to COVID-19 research and response efforts,” he said.

“Crime groups out of Vietnam have also used Malverposting techniques to encourage victims to click on ads that download malicious files disguised as images, which is malware intended to steal information from the victim’s system.”

Simon Hendery

Simon Hendery is a freelance IT consultant specializing in security, compliance, and enterprise workflows. With a background in technology journalism and marketing, he is a passionate storyteller who loves researching and sharing the latest industry developments.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.