Ducktail Infostealer, DarkGate RAT Linked to Same Threat Actors

Cybersecurity researchers have uncovered a connection between the notorious DarkGate remote access trojan (RAT) and the Vietnam-based financial cybercrime operation behind the Ducktail infostealer.

WithSecure's researchers, who spotted Ducktail's activity in 2022, started their investigation into DarkGate after detecting multiple infection attempts against organizations in the UK, US, and India.

"It rapidly became apparent that the lure documents and targeting were very similar to recent Ducktail infostealer campaigns, and it was possible to pivot through open source data from the DarkGate campaign to multiple other infostealers which are very likely being used by the same actor/group," the report noted.

DarkGate's Ties to Ducktail

DarkGate is backdoor malware capable of a wide range of malicious activities, including information stealing, cryptojacking, and using Skype, Teams, and Messages to distribute malware.

The malware can steal a variety of data from infected devices, including usernames, passwords, credit card numbers, and other sensitive information and be used to mine cryptocurrency on infected devices without the user's knowledge or consent.

It can be used to deliver ransomware to infected devices, encrypting the user's files and demanding a ransom payment to decrypt them.

WithSecure senior threat intelligence analyst Stephen Robinson explains that at a high level, DarkGate malware functionality hasn’t changed since the initial reporting in 2018.

"It has always been a Swiss-army knife, multifunctional malware," he says. "That said, it has been repeatedly updated and modified by the author since then, which we can assume has been to improve the implementation of those malicious functions, and to keep up with the AV/Malware detection arms race."

He notes DarkGate campaigns (and the actors behind them) can be differentiated by who they are targeting, the lures and infection vectors they are using, and their actions on the target.

"The specific Vietnamese cluster that the report focuses on used the same targeting, file names, and even lure files for multiple campaigns using multiple strains of malware," Robinson says.

They created PDF lure files using an online service that adds its own metadata to each file created; that metadata gave further strong links between the different campaigns.

They also created multiple malicious LNK files on the same device and did not wipe the metadata, enabling further activity to be clustered.

The correlation between DarkGate and Ducktail was determined from nontechnical markers such as lure files, targeting patterns, and delivery methods, collated in a 15-page report.

"Nontechnical indicators like lure files and metadata are highly impactful forensic cues. Lure files, which act as bait to entice victims into executing the malware, offer invaluable insights into an attacker's modus operandi, their potential targets, and their evolving techniques," explains Callie Guenther, senior manager of cyber threat research at Critical Start.

Similarly, metadata — information like "LNK Drive ID" or details from services like Canva — can leave discernible traces or patterns that might persist across different attacks or specific actors.

"These consistent patterns, when analyzed, can bridge the gap between varied campaigns, enabling researchers to attribute them to a common perpetrator, even if the malware's technical footprint differs," she says.

Ngoc Bui, cybersecurity expert at Menlo Security, says understanding the relationships between different malware families linked to the same threat actors is essential.

"It helps in building a more comprehensive threat profile and identifying the tactics and motivations of these threat actors," Bui says.

For example, if researchers find connections between DarkGate, Ducktail, Lobshot, and Redline Stealer, they may be able to conclude that a single actor or group is involved in multiple campaigns, which suggests a high level of sophistication.

"It may also help analysts determine if more than one threat group is working together as we see with ransomware campaigns and efforts," Bui adds.

MaaS Impacts Cyber-Threat Landscape

Bui points out the availability of DarkGate as a service has significant implications for the cybersecurity landscape.

"It lowers the entry barrier for aspiring cybercriminals who may lack technical expertise," Bui explains. "As a result, more individuals or groups can access and deploy sophisticated malware like DarkGate, increasing the overall threat level."

Bui adds that malware-as-a-service (MaaS) offerings provide cybercriminals with a convenient and cost-effective means to conduct attacks.

For a cybersecurity analyst, this poses a challenge because they must continually adapt to new threats and consider the possibility of multiple threat actors using the same malware service.

It also can make tracking the threat actor using the malware a little more difficult as the malware itself may cluster back to the developer and not the threat actor using the malware.

Paradigm Shift in Defense

Guenther says that to better comprehend the modern, ever-evolving cyber-threat landscape, a paradigm shift in defense strategies is overdue.

"Embracing behavior-based detection sequences, as well as leveraging AI and ML, allows for the identification of anomalous network behaviors, surpassing the previous limitations of signature-based methods," she says.

Furthermore, pooling threat intelligence and fostering communication about emergent threats and tactics across industry verticals can catalyze early detection and mitigation.

"Regular audits, encompassing network configurations and penetration tests, can preemptively unearth vulnerabilities," Guenther adds. "Moreover, a well-informed workforce, trained in recognizing contemporary threats and phishing vectors, becomes an organization's first line of defense, reducing the risk quotient substantially."