A Vietnamese threat group [1] [2] [3] [4], known for the Ducktail stealer malware [3], conducted a campaign targeting marketing professionals in India between March and early October 2023 [1] [4]. Their objective was to hijack Facebook business accounts by spreading malicious content through sponsored ads on the platform. This campaign represented an escalation in tactics [5], as the attackers utilized Delphi as their programming language instead of the usual NET applications [5].
Description
The cybercriminals disguised archive files as PDFs and sent them to potential targets. When opened, these files launched a malicious executable that could steal victims’ login cookies and gain control of their accounts. Once unauthorized access was gained [5], the fraudsters exploited the accounts for financial gain by placing advertisements [5].
In a related development [1] [2], Google has taken legal action against unknown individuals in India and Vietnam for spreading malware through social media posts and ads related to generative AI tools [1]. The archive files used in the campaign also included an installer file that installed a browser extension to steal victims’ social media accounts [1].
The campaign involved sending potential targets archive files disguised as PDFs [1] [2] [4], which contained a malicious executable [1] [2] [4]. When launched, the executable saved a PowerShell script and a decoy PDF document locally [2] [4]. The script would open the decoy [4], pause for five minutes [2] [4], and then terminate the Chrome browser process [2] [4]. The executable also downloaded and launched a rogue library that scanned for shortcuts to a Chromium-based web browser [2] [4]. The next stage involved altering the browser’s shortcut file to launch a rogue extension disguised as the legitimate Google Docs Offline add-on [4]. This extension would send information about open tabs to a server controlled by the attackers in Vietnam and hijack the Facebook business accounts [4]. This highlights the evolving tactics of cybercriminals and the need for advanced security measures to counter such threats [3].
Conclusion
This campaign demonstrates the evolving tactics of cybercriminals [3], as they utilized Delphi as their programming language and disguised archive files as PDFs to target marketing professionals in India. The hijacking of Facebook business accounts for financial gain highlights the need for advanced security measures to counter such threats. Additionally, Google’s legal action against individuals in India and Vietnam for spreading malware through social media posts and ads emphasizes the importance of mitigating the risks associated with generative AI tools. As cybercriminals continue to adapt and develop new techniques, it is crucial to stay vigilant and implement robust security measures to protect against future attacks.
References
[1] https://cyber.vumetric.com/security-news/2023/11/14/vietnamese-hackers-using-new-delphi-powered-malware-to-target-indian-marketers/
[2] https://thehackernews.com/2023/11/vietnamese-hackers-using-new-delphi.html
[3] https://cybermaterial.com/ducktail-targets-indian-marketers/
[4] https://www.443news.com/2023/11/vietnamese-hackers-using-new-delphi-powered-malware-to-target-indian-marketers/
[5] https://www.cyber-oracle.com/p/dependabots-deception-uncovering
