Vietnamese Hackers Phish for Victims Using Messenger

A recent phishing attack is utilizing Facebook Messenger to distribute messages containing harmful attachments. These messages are sent from a large number of fabricated and compromised personal accounts, with the ultimate objective of gaining control over the recipients' accounts.

This campaign, which has been traced back to a group based in Vietnam, employs a small compressed file attachment. Within this attachment, there is a potent Python-based stealing script that is deployed through a multi-stage process that employs straightforward yet effective obfuscation techniques. Guardio Labs researcher Oleg Zaytsev provided an analysis of this campaign, which was published over the weekend.

Malicious Archives Used as Bait

In these attacks, referred to as "MrTonyScam," potential victims receive messages that encourage them to click on RAR and ZIP archive attachments. Clicking on these attachments triggers the deployment of a dropper, which retrieves the next-stage component from either a GitHub or GitLab repository.

This next-stage payload is yet another archive file containing a CMD file. Inside this CMD file lies an obfuscated Python-based stealing script, designed to siphon off all cookies and login credentials from various web browsers. These pilfered data are then sent to a Telegram or Discord API endpoint controlled by the threat actor.

The adversary employs a cunning tactic, as they delete all stolen cookies after extraction. This action effectively logs the victims out of their accounts. Subsequently, the scammers exploit the stolen cookies to change the victims' passwords and take control of their accounts.

The connection of the threat actor to Vietnam is evident in the presence of Vietnamese language references within the Python stealing script's source code. Additionally, the inclusion of Coc Coc, a Chromium-based browser popular in Vietnam, further supports this link.

Although it should be noted that initiating the infection necessitates user interaction to download, extract, and execute the attachment, Guardio Labs has reported a high success rate for this campaign. Over the past 30 days, an estimated 1 out of every 250 recipients are believed to have fallen victim to this attack.

Most of the compromises have been observed in countries such as the United States, Australia, Canada, France, Germany, Indonesia, Japan, Nepal, Spain, the Philippines, and Vietnam, among others.

September 11, 2023

Cyclonis Backup Details & Terms

The Free Basic Cyclonis Backup plan gives you 2 GB of cloud storage space with full functionality! No credit card required. Need more storage space? Purchase a larger Cyclonis Backup plan today! To learn more about our policies and pricing, see Terms of Service, Privacy Policy, Discount Terms and Purchase Page. If you wish to uninstall the app, please visit the Uninstallation Instructions page.

Cyclonis Password Manager Details & Terms

FREE Trial: 30-Day One-Time Offer! No credit card required for Free Trial. Full functionality for the length of the Free Trial. (Full functionality after Free Trial requires subscription purchase.) To learn more about our policies and pricing, see EULA, Privacy Policy, Discount Terms and Purchase Page. If you wish to uninstall the app, please visit the Uninstallation Instructions page.