Network Security
Vulnerability Management
Privileged Access Management
Endpoint Security
Threat Hunting
Unified Endpoint Management
Email & Collaboration Security
Contents:
DarkGate, a piece of malware has been observed being spread via instant messaging platforms such as Microsoft Teams and Skype.
How the Attack Works?
In these attacks, a Visual Basic for Applications (VBA) loader script disguised as a PDF document is sent over messaging applications, and when read, causes the download and execution of an AutoIt script meant to start the malware.
Security researchers declared that it is yet unclear how the originating accounts of the messaging apps were compromised, but it is hypothesized to be either through leaked credentials or a previous compromise of the parent organization.
DarkGate Explained
DarkGate is a piece of commodity malware that was first identified in November 2018. It has a wide range of features that allow its operators to remotely control the infected machines while also collecting sensitive data from web browsers and mining cryptocurrencies. Additionally, it serves as a downloader for other payloads like Remcos RAT.
The number of social engineering operations disseminating the malware has increased recently. These campaigns use first entrance techniques including phishing emails and SEO poisoning to trick unsuspecting users into installing the malware.
The increase is the result of the malware author’s choice, after using it privately for years, to rent out the virus on a malware-as-a-service basis to other threat actors.
A majority of the attacks have been detected in the Americas, followed by Asia, the Middle East, and Africa.
With the exception of the alteration in the initial access channel, the complete infection technique utilizing Skype and Teams closely mirrors a malspam campaign from late August 2023.
Security researchers believe that the attacks occurred due to threat actors abusing a trusted relationship between the two organizations to deceive the recipient into executing the VBA script. The AutoIT script that launches the DarkGate infection is coupled with the genuine AutoIt application (AutoIt3.exe), which is fetched by the VBA script.
Alternatively, the attackers may send a message to Microsoft Teams with a ZIP archive attachment containing an LNK file, which would then be used to launch a VBA script to obtain AutoIt3.exe and the DarkGate artifact.
If you liked this article, follow us on LinkedIn, Twitter, Facebook, and Youtube for more cybersecurity news and topics.
Cristian is a Content Editor & Creator at Heimdal®, where he developed a deep understanding of the digital threat landscape. His style resonates with both technical and non-technical readers, proof being in his skill of communicating cybersecurity norms effectively, in an easy-to-understand manner.
