The malware named DarkGate, which first came into the limelight when Fortinet documented it in November 2018, has been detected spreading through popular instant messaging platforms including Skype and Microsoft Teams. Cybercriminals exploit these platforms by delivering a Visual Basic for Applications (VBA) loader script, pretending to be a PDF document. When unsuspecting users open this, it initiates the download and runs an AutoIt script set up to unleash the malware. Trend Micro, a global leader in cybersecurity, shed light on this new threat delivery mechanism in an analysis they published recently.
Key Points:
- Malware is transmitted via Skype and Microsoft Teams.
- The VBA script used acts as a medium to fetch the genuine AutoIt application and a related AutoIT script that launches the DarkGate malware.
- Attackers are employing a different approach where they send a Microsoft Teams message with a ZIP file attachment that contains an LNK file. This file is designed to execute the VBA script and subsequently retrieve AutoIt3.exe and the DarkGate malware.
Origin of Account Compromise
It remains uncertain how the originating accounts on these instant messaging applications were compromised. However, theories include the possibility of leaked credentials available on underground forums or prior breaches at the parent organization. This method of attack, through instant messaging platforms, brings to light the importance of securing communication tools, as cybercriminals continuously adapt and find innovative ways to infiltrate systems.
The Rise of DarkGate
DarkGate is not just any ordinary malware. It is equipped with a variety of features that allow it to extract sensitive information from browsers, undertake cryptocurrency mining, and grant its administrators remote access to the infected systems. It can also download further malicious payloads, such as the Remcos RAT.
Recent months have seen a spike in campaigns spreading this malware. These campaigns use phishing emails and search engine optimization (SEO) poisoning as primary tactics to dupe users into installing the malware. This rise in activity comes after the malware’s author chose to advertise it on underground forums, allowing other cybercriminals to rent it on a malware-as-a-service (MaaS) basis, after years of private usage.
Recent Attacks
Between the months of July and September, compromised Skype accounts have been used to infect systems by sending messages with VBA loader script attachments. Once the victim’s Skype account is accessed, the attacker can take over existing message threads and adjust file names to align with the context of the conversation.
Moreover, DarkGate operators have also attempted to disseminate their malware via Microsoft Teams, particularly in organizations that have configured the service to receive messages from external sources. Teams phishing campaigns that deploy DarkGate malware have previously been detected by cybersecurity firms like Truesec and MalwareBytes.
Key Observations:
- Attackers exploit Microsoft Teams through compromised Office 365 accounts outside the target organizations.
- They also utilize a publicly accessible tool, TeamsPhisher, to bypass file restrictions from external sources and send phishing attachments to Teams users.
- The overarching aim is still to infiltrate the entire system. Depending on which threat group is using the DarkGate variant, the risks could range from ransomware to crypto mining. Trend Micro’s data suggests that DarkGate is often linked with tools frequently detected by the Black Basta ransomware group.
DarkGate’s Expanding Influence
The DarkGate malware loader has been increasingly utilized by cybercriminals as an initial entry point into corporate networks. This trend was observed, particularly after the Qakbot botnet was disrupted in August due to collective international efforts.
Before the downfall of Qakbot, an individual claiming to be the developer of DarkGate tried to sell subscriptions on a hacking forum, with an annual fee reaching up to $100,000. This malware was promoted as having an array of features, from a hidden VNC and a browser history theft tool to a Discord token stealer. Post this announcement, there was a marked increase in reports of DarkGate infections via varied delivery channels like phishing and malvertising. This boost in activity highlights the malware-as-a-service operation’s growing influence in the realm of cybercrime. It also stresses the persistence of these threat actors, who consistently adjust their tactics despite obstacles and challenges, seeking out innovative ways to achieve their nefarious objectives.
