A Vietnamese risk actor named BatShadow has been attributed to a brand new marketing campaign that leverages social engineering techniques to deceive job seekers and digital advertising and marketing professionals to ship a beforehand undocumented malware known as Vampire Bot.
“The attackers pose as recruiters, distributing malicious recordsdata disguised as job descriptions and company paperwork,” Aryaka Menace Analysis Labs researchers Aditya Okay Sood and Varadharajan Okay mentioned in a report shared with The Hacker Information. “When opened, these lures set off the an infection chain of a Go-based malware.”
The assault chains, per the cybersecurity firm, leverage ZIP archives containing decoy PDF paperwork together with malicious shortcut (LNK) or executable recordsdata which can be masked as PDF to trick customers into opening them. When launched, the LNK file runs an embedded PowerShell script that reaches out to an exterior server to obtain a lure doc, a PDF for a advertising and marketing job at Marriott.
The PowerShell script additionally downloads from the identical server a ZIP file that features recordsdata associated to XtraViewer, a distant desktop connection software program, and executes it doubtless with an goal to determine persistent entry to compromised hosts.
Victims who find yourself clicking on a hyperlink within the lure PDF to supposedly “preview” the job description are directed to a different touchdown web page that serves a pretend error message stating the browser is unsupported and that “the web page solely helps downloads on Microsoft Edge.”
“When the consumer clicks the OK button, Chrome concurrently blocks the redirect,” Aryaka mentioned. “The web page then shows one other message instructing the consumer to repeat the URL and open it within the Edge browser to obtain the file.”
The instruction on the a part of the attacker to get the sufferer to make use of Edge versus, say, Google Chrome or different internet browsers is probably going all the way down to the truth that scripted pop-ups and redirects are doubtless blocked by default, whereas manually copying and pasting the URL on Edge permits the an infection chain to proceed, because it’s handled as a user-initiated motion.
Nevertheless, ought to the sufferer choose to open the web page in Edge, the URL is programmatically launched within the internet browser, solely to show a second error message: “The web PDF viewer is at present experiencing a problem. The file has been compressed and despatched to your system.”
This subsequently triggers the auto-download of a ZIP archive containing the purported job description, together with a malicious executable (“Marriott_Marketing_Job_Description.pdf.exe”) that mimics a PDF by padding further areas between “.pdf” and “.exe.”
The executable is a Golang malware dubbed Vampire Bot that may profile the contaminated host, steal a variety of knowledge, seize screenshots at configurable intervals, and keep communication with an attacker-controlled server (“api3.samsungcareers[.]work”) to run instructions or fetch further payloads.
BatShadow’s hyperlinks to Vietnam stem from the usage of an IP tackle (103.124.95[.]161) that has been beforehand flagged as utilized by hackers with hyperlinks to the nation. Moreover, digital advertising and marketing professionals have been one of many foremost targets of assaults perpetrated by varied Vietnamese financially motivated teams, who’ve a monitor document of deploying stealer malware to hijack Fb enterprise accounts.
In October 2024, Cyble additionally disclosed particulars of a classy multi-stage assault marketing campaign orchestrated by a Vietnamese risk actor that focused job seekers and digital advertising and marketing professionals with Quasar RAT utilizing phishing emails containing booby-trapped job description recordsdata.
BatShadow is assessed to be lively for no less than a yr, with prior campaigns utilizing comparable domains, equivalent to samsung-work.com, to propagate malware households together with Agent Tesla, Lumma Stealer, and Venom RAT.
“The BatShadow risk group continues to make use of refined social engineering techniques to focus on job seekers and digital advertising and marketing professionals,” Aryaka mentioned. “By leveraging disguised paperwork and a multi-stage an infection chain, the group delivers a Go-based Vampire Bot able to system surveillance, information exfiltration, and distant process execution.”
