The attack, referred to as ‘MrTonyScam,’ executes its attacks by sending messages to their targets compelling them to click on their RAR and ZIP archive attachments, and launching a dropper that downloads the subsequent stage from a GitHub or GitLab repository.
Oleg Zaytsev, Guardio Labs researcher states in an analysis published over the weekend, "Originating yet again from a Vietnamese-based group, this campaign uses a tiny compressed file attachment that packs a powerful Python-based stealer dropped in a multi-stage process full of simple yet effective obfuscation methods."
This payload is another archive file with a CMD file inside of it. The CMD file then contains an obfuscated Python-based stealer that exfiltrates all cookies and login information from various web browsers to a Telegram or Discord API endpoint that is under the control of an actor.
A significantly interesting tactic used by the threat actors is how they delete all cookies once they have stolen them in order to block their victims from their own accounts. They further hack the victim’s session with the help of the stolen cookies, changing passwords and thus acquiring complete control.
Also, there have been speculations that the threat actors are based in Vietnam, considering the presence of Vietnamese language references in the source code of the Python stealer. For instance, there has been the inclusion of ‘Cốc Cốc,’ which is a Chromium-based browser used popularly in Vietnam.
Guardio Labs discovered that the campaign has experienced a high success rate, with 1 out of 250 victims being estimated to have been infected over the last 30 days alone, despite the fact that the infection needs user input to download a file, unzip it, and execute the attachment.
Among other countries, the United States, Australia, Canada, France, Germany, Indonesia, Japan, Nepal, Spain, the Philippines, and Vietnam have reported the majority of the compromises.
"Facebook Accounts with reputation, seller rating, and high number of followers can be easily monetized on dark markets[…]Those are used to reach a broad audience to spread advertisements as well as more scams," Zaytsev noted.
The aforementioned reveal came in days after WithSecure and Zscaler ThreatLabz reported the newly launched Ducktail and Duckport campaigns that targeted Meta Business and Facebook accounts using ‘malverposting’ tactics.
"The Vietnamese-centric element of these threats and high degree of overlaps in terms of capabilities, infrastructure, and victimology suggests active working relationships between various threat actors, shared tooling and TTPs across these threat groups, or a fractured and service-oriented Vietnamese cybercriminal ecosystem (akin to ransomware-as-a-service model) centered around social media platforms such as Facebook," WithSecure noted.