A recent phishing attack, known as the “MrTonyScam,” is utilizing Facebook Messenger to spread malicious messages containing attachments from a multitude of fake and hijacked personal accounts. The main objective of this attack is to gain control of the victims’ Business accounts. The campaign is associated with a Vietnamese-based group and employs a compressed file attachment that contains a Python-based stealer using various obfuscation techniques.
The attack begins by sending potential victims enticing messages with RAR and ZIP archive attachments. Clicking on these attachments triggers the deployment of a dropper that fetches the next stage from either a GitHub or GitLab repository. This next stage includes an archive file containing a CMD file, which, in turn, harbors an obfuscated Python-based stealer. This stealer is designed to exfiltrate all cookies and login credentials from various web browsers, sending the stolen information to an actor-controlled Telegram or Discord API endpoint.
One cunning tactic used by the attackers involves deleting all stolen cookies after theft. This action effectively logs victims out of their own accounts, allowing the scammers to hijack their sessions. The stolen cookies are used to change victims’ passwords, enabling the attackers to seize control of the compromised accounts.
This campaign has seen a high success rate in compromising victim’s accounts, despite the fact that the infection requires user interaction to actually download the malicious file. The majority of victims have been reported from the US, Australia, Canada, France, Germany, Indonesia, Japan, Nepal, Spain, the Philippines, and Vietnam.
” These threat actors are targeting millions of business accounts on Facebook’s platform — from highly-rated marketplace sellers to large corporations, with fake business inquiries, achieving a staggering “success rate” with approximately 1 out of 70 infected!”, researchers mentioned
The main targets are Facebook accounts having high following, reputation and seller rating as these are easily sold for a big amount of money on dark markets. These kinds of accounts are used to reach a wider audience for spreading advertisements and scams.
Most of these Vietnam-related cyberthreats have similarities in their infrastructures and capabilities which suggest that the threat actors may have working relationships, like sharing tools and TTPs with each other.