Vietnamese Hackers Phish for Victims Using Messenger

A recent phishing attack is utilizing Facebook Messenger to distribute messages containing harmful attachments. These messages are sent from a large number of fabricated and compromised personal accounts, with the ultimate objective of gaining control over the recipients' accounts.

This campaign, which has been traced back to a group based in Vietnam, employs a small compressed file attachment. Within this attachment, there is a potent Python-based stealing script that is deployed through a multi-stage process that employs straightforward yet effective obfuscation techniques. Guardio Labs researcher Oleg Zaytsev provided an analysis of this campaign, which was published over the weekend.

Malicious Archives Used as Bait

In these attacks, referred to as "MrTonyScam," potential victims receive messages that encourage them to click on RAR and ZIP archive attachments. Clicking on these attachments triggers the deployment of a dropper, which retrieves the next-stage component from either a GitHub or GitLab repository.

This next-stage payload is yet another archive file containing a CMD file. Inside this CMD file lies an obfuscated Python-based stealing script, designed to siphon off all cookies and login credentials from various web browsers. These pilfered data are then sent to a Telegram or Discord API endpoint controlled by the threat actor.

The adversary employs a cunning tactic, as they delete all stolen cookies after extraction. This action effectively logs the victims out of their accounts. Subsequently, the scammers exploit the stolen cookies to change the victims' passwords and take control of their accounts.

The connection of the threat actor to Vietnam is evident in the presence of Vietnamese language references within the Python stealing script's source code. Additionally, the inclusion of Coc Coc, a Chromium-based browser popular in Vietnam, further supports this link.

Although it should be noted that initiating the infection necessitates user interaction to download, extract, and execute the attachment, Guardio Labs has reported a high success rate for this campaign. Over the past 30 days, an estimated 1 out of every 250 recipients are believed to have fallen victim to this attack.

Most of the compromises have been observed in countries such as the United States, Australia, Canada, France, Germany, Indonesia, Japan, Nepal, Spain, the Philippines, and Vietnam, among others.

By Zaib
September 11, 2023
Computer Security
English
September 11, 2023
Computer Security

Popular Posts

As Fears of the Coronavirus Pandemic Spread, So Does...

4 years ago

Microsoft Warns State-Backed Threat Actors Are Using AI in...

4 days ago

Trojan Al11 Malware Detection & Removal - An Essential...

11 months ago

Pinaview is a Fully-Featured Adware App

10 months ago

"Your iCloud is Being Hacked" and "Your iPhone has Been...

7 months ago

What is Lucky Ransomware?

7 months ago

Related Posts

Computer Security

Hackers Attempt Identity Theft of Victims in Florida Tragedy

Following the tragic collapse of the 12-floor condo located at the beachfront of Surfside, FL, hackers are now trying to abuse the personal tragedy of affected families. Threatpost reports that bad actors are pulling... Read more

July 20, 2021
Scam

Beware! Social Security Phishing Scam Preys on Victims

A new email scam is distributed online, using phishing emails. This time around, the scammers chose to send phony US Social Security Association emails. The scam has a simple premise - potential victims receive an... Read more

October 21, 2022
Computer Security

Ignoring Smart Doorbell Security Is Like Giving House Keys to Hackers

UK consumer protection organization Which? recently revealed that smart doorbells sold in big-name online retailers can contain major vulnerabilities. Together with NCC Group, another UK entity, Which? discovered that... Read more

November 26, 2020
English
Loading...

Cyclonis Backup Details & Terms

The Free Basic Cyclonis Backup plan gives you 2 GB of cloud storage space with full functionality! No credit card required. Need more storage space? Purchase a larger Cyclonis Backup plan today! To learn more about our policies and pricing, see Terms of Service, Privacy Policy, Discount Terms and Purchase Page. If you wish to uninstall the app, please visit the Uninstallation Instructions page.

Cyclonis Password Manager Details & Terms

FREE Trial: 30-Day One-Time Offer! No credit card required for Free Trial. Full functionality for the length of the Free Trial. (Full functionality after Free Trial requires subscription purchase.) To learn more about our policies and pricing, see EULA, Privacy Policy, Discount Terms and Purchase Page. If you wish to uninstall the app, please visit the Uninstallation Instructions page.

Home

Products

Cyclonis Backup Cyclonis Password Manager Cyclonis World Time

Support

Help Files FAQs Downloads Inquiries & Support

Company

About Us Contact Us Report Abuse

Legal (Post Merger)

EnigmaSoft Limited (fka Cyclonis Limited)

Cyclonis Backup's Terms of Service Cyclonis Password Manager's EULA Cyclonis World Time's Terms of Service Privacy Policy Cookie Policy Special Discount Offer Terms Additional Terms & Conditions SpyHunter EULA RegHunter EULA EnigmaSoft Privacy Policy & Cookie Policy ESG Privacy Policy & Cookie Policy EnigmaSoft Discount Offer Terms ESG Discount Offer Terms

© 2017-2024 Cyclonis Ltd. CYCLONIS is a trademark of EnigmaSoft Limited (Cyclonis was merged into EnigmaSoft Limited effective November 25, 2023.) All rights reserved.

Registered Office EnigmaSoft Limited: 1 Castle Street, 3rd Floor, Dublin 2 D02 XD82, Ireland.
EnigmaSoft Limited, Private Company Limited by shares, Company Registration Number 597114.

Windows is a trademark of Microsoft, registered in the U.S. and other countries.
Mac, iPhone, iPad and App Store are trademarks of Apple Inc., registered in the U.S. and other countries.
iOS is a registered trademark of Cisco Systems, Inc. and/or its affiliates in the United States and certain other countries.
Android and Google Play are trademarks of Google LLC.