A Vietnamese cybercriminal group known as BatShadow has been identified as orchestrating a sophisticated campaign aimed at job seekers and digital marketing professionals. By masquerading as recruiters, they distribute malicious files disguised as job descriptions and corporate documents to deploy a previously undocumented malware named ‘Vampire Bot.’
According to researchers Aditya K Sood and Varadharajan K from Aryaka Threat Research Labs, the attackers employ social engineering tactics to deceive individuals into opening these deceptive files. Once accessed, these files initiate an infection chain involving a Go-based malware.
Infection Chain Details:
1. Initial Contact: Victims receive ZIP archives containing decoy PDF documents alongside malicious shortcut (LNK) or executable files disguised as PDFs.
2. Execution of Malicious Files: When the LNK file is opened, it executes an embedded PowerShell script that connects to an external server to download a lure document, such as a PDF for a marketing job at Marriott.
3. Establishing Persistence: The same PowerShell script downloads a ZIP file containing files related to XtraViewer, a remote desktop connection software, which is then executed to establish persistent access to the compromised system.
4. Deceptive Web Navigation: Victims clicking on links within the lure PDF are redirected to a landing page displaying a fake error message stating that the browser is unsupported and that the page only supports downloads on Microsoft Edge.
5. Encouraging Use of Edge Browser: The attackers instruct victims to copy the URL and open it in the Edge browser to download the file, exploiting the fact that Edge may handle scripted pop-ups and redirects differently, allowing the infection chain to proceed.
6. Final Payload Delivery: Upon opening the page in Edge, another error message appears, stating that the online PDF viewer is experiencing an issue and that the file has been compressed and sent to the device. This triggers the automatic download of a ZIP archive containing a malicious executable named ‘Marriott_Marketing_Job_Description.pdf.exe,’ which mimics a PDF by padding extra spaces between ‘.pdf’ and ‘.exe.’
Capabilities of ‘Vampire Bot’:
The ‘Vampire Bot’ malware, written in Go, possesses several capabilities:
– System Profiling: Gathers detailed information about the infected host.
– Data Theft: Steals a wide range of information from the system.
– Screenshot Capture: Takes screenshots at configurable intervals.
– Command Execution: Maintains communication with an attacker-controlled server to run commands or fetch additional payloads.
Attribution to Vietnam:
BatShadow’s connection to Vietnam is suggested by the use of an IP address (103.124.95[.]161) previously flagged as associated with Vietnamese hackers. Additionally, digital marketing professionals have been primary targets of attacks by various Vietnamese financially motivated groups, known for deploying stealer malware to hijack Facebook business accounts.
Historical Context:
In October 2024, cybersecurity firm Cyble disclosed details of a sophisticated multi-stage attack campaign by a Vietnamese threat actor targeting job seekers and digital marketing professionals. This campaign utilized phishing emails containing booby-trapped job description files to deploy Quasar RAT.
BatShadow is believed to have been active for at least a year, with prior campaigns using similar domains, such as samsung-work.com, to propagate malware families including Agent Tesla, Lumma Stealer, and Venom RAT.
Conclusion:
The BatShadow threat group continues to employ sophisticated social engineering tactics to target job seekers and digital marketing professionals. By leveraging disguised documents and a multi-stage infection chain, the group delivers a Go-based ‘Vampire Bot’ capable of system surveillance, data exfiltration, and remote task execution.
