Vietnamese Hackers Deploy Python-Based Stealer via Facebook Messenger

1 week ago 25

Sep 11, 2023THNMalware / Social Media

Facebook Messenger

A caller phishing onslaught is leveraging Facebook Messenger to propagate messages with malicious attachments from a "swarm of fake and hijacked idiosyncratic accounts" with the eventual extremity of taking implicit the targets' accounts.

"Originating yet again from a Vietnamese-based group, this run uses a tiny compressed record attachment that packs a almighty Python-based stealer dropped successful a multi-stage process afloat of elemental yet effectual obfuscation methods," Guardio Labs researcher Oleg Zaytsev said successful an investigation published implicit the weekend.

In these attacks, dubbed MrTonyScam, imaginable victims are sent messages that entice them into clicking connected the RAR and ZIP archive attachments, starring to the deployment of a dropper that fetches the next-stage from a GitHub oregon GitLab repository.

This payload is different archive record that contains a CMD file, which, successful turn, harbors an obfuscated Python-based stealer to exfiltrate each cookies and login credentials from antithetic web browsers to an actor-controlled Telegram oregon Discord API endpoint.


A clever maneuver adopted by the adversary involves deletes each cookies aft stealing them, efficaciously logging victims retired of their ain accounts, astatine which constituent the scammers hijack their sessions utilizing the stolen cookies to alteration their passwords and prehend power of them.

The menace actor's links to Vietnam comes from the beingness of Vietnamese connection references successful the root codification of the Python stealer and the inclusion of Cốc Cốc, a Chromium-based browser fashionable successful the country.

Despite the information that triggering the corruption requires idiosyncratic enactment to download a file, unzip, and execute the attachment, Guardio Labs recovered that the run has witnessed a precocious occurrence complaint wherever 1 retired of 250 victims are estimated to person been infected implicit the past 30 days alone.

Facebook Messenger

A bulk of the compromises person been reported successful the U.S., Australia, Canada, France, Germany, Indonesia, Japan, Nepal, Spain, the Philippines, and Vietnam, among others.

"Facebook Accounts with reputation, seller rating, and precocious fig of followers tin beryllium easy monetized connected acheronian markets," Zaytsev said. "Those are utilized to scope a wide assemblage to dispersed advertisements arsenic good arsenic much scams."


Way Too Vulnerable: Uncovering the State of the Identity Attack Surface

Achieved MFA? PAM? Service relationship protection? Find retired however well-equipped your enactment genuinely is against individuality threats

Supercharge Your Skills

The disclosure comes days aft WithSecure and Zscaler ThreatLabz detailed caller Ducktail and Duckport campaigns that people Meta Business and Facebook accounts utilizing malverposting tactics.

"The Vietnamese-centric constituent of these threats and precocious grade of overlaps successful presumption of capabilities, infrastructure, and victimology suggests progressive moving relationships betwixt assorted menace actors, shared tooling and TTPs crossed these menace groups, oregon a fractured and service-oriented Vietnamese cybercriminal ecosystem (akin to ransomware-as-a-service model) centered astir societal media platforms specified arsenic Facebook," WithSecure noted.

Found this nonfiction interesting? Follow america connected Twitter and LinkedIn to work much exclusive contented we post.

Read Entire Article