Vietnamese hackers deploy Python-based thief via Facebook Messenger
A new phishing attack leverages Facebook Messenger to spread messages containing malicious attachments from a “swarm of fake and hacked personal accounts” with the ultimate goal of taking over targets’ accounts.
“Again originating from a group based in Vietnam, this campaign uses a small compressed attachment containing a powerful Python-based thief, dropped in a multi-step process full of simple but effective obfuscation methods,” said Oleg Zaytsev, researcher at Guardio Labs. said in an analysis published this weekend.
In these attacks, dubbed MrTonyScam, potential victims receive messages that trick them into clicking on attachments from RAR and ZIP archives, leading to the deployment of a dropper that fetches the next step from a GitHub repository or GitLab.
This payload is another archive file that contains a CMD file, which, in turn, hosts an obfuscated Python-based stealer to exfiltrate all cookies and login information from different web browsers to an API endpoint Telegram or Discord controlled by an actor.
A clever tactic adopted by the adversary is to delete all cookies after stealing them, thereby logging victims out of their own accounts, in which case the scammers hijack their sessions using the stolen cookies to change their passwords and take over them. control.
The threat actor’s ties to Vietnam come from the presence of Vietnamese language references in the Python thief’s source code and the inclusion of Cốc Cốc, a Chromium-based browser popular in the country.
Despite the fact that triggering the infection requires user interaction to download a file, unzip it, and run the attachment, Guardio Labs found that the campaign had a high success rate: an estimated one in 250 victims has been infected in the last 30 years. days alone.
The majority of compromises have been reported in the United States, Australia, Canada, France, Germany, Indonesia, Japan, Nepal, Spain, the Philippines, and Vietnam, among others.
“Facebook accounts with reputation, seller rating and a high number of followers can be easily monetized on black markets,” Zaytsev said. “These are used to reach a large audience to deliver advertisements as well as more scams.”
Way Too Vulnerable: Uncovering the State of the Identity Attack Surface
MFA achieved? WFP? Service account protection? Find out how equipped your organization really is against identity threats
The disclosure comes days after WithSecure and Zscaler ThreatLabz detailed new Ducktail and Duckport campaigns that target Meta Business and Facebook accounts using malicious posting tactics.
“The Vietnamese element of these threats and the high degree of overlap in terms of capabilities, infrastructure and victimology suggest active working relationships between various threat actors, tools and TTPs shared between these threat groups, or a service-oriented, fractured Vietnamese cybercriminal (similar to the ransomware-as-a-service model) focused on social media platforms such as Facebook,” WithSecure noted.
