Was observed that a malware known as DarkGate spreads via platforms instant messaging like Skype and Microsoft Teams.
In these attacks, messaging apps are used to deliver a Visual Basic for Applications load script (VBA) disguised as a PDF document which, when opened, triggers the download and execution of an AutoIt script designed to launch the malware.
What is known about DarkGate
“It’s unclear how the source accounts of the instant messaging applications were compromised, however it is speculated that this occurred through leaked credentials available through clandestine forums or through prior compromise of the parent organization“, has stated Trend Micro in a new analysis published Thursday.
DarkGate, first documented by Fortinet in November 2018, is a common malware which incorporates a wide range of features to collect sensitive data from web browsersconduct cryptocurrency mining and allow its operators to remotely control infected hosts.
This malware also works as additional load downloaders, such as the Remcos RAT.
Social engineering campaigns that they distribute malware have seen an increase in recent months, taking advantage of initial entry tactics such as phishing emails and Search engine “hijacking” (SEO) to convince unsuspecting users to install it.
This increase follows the decision of the (rightly unknown) author of the malware to advertise it on clandestine forums and to rent it as malware service to other attackers after years of private use.
The use of Microsoft Teams chat messages as a propagation vector for DarkGate was previously highlighted by Truesec early last monthindicating that it is likely to be used by various malicious actors.
Most of the attacks were detected in the Americasfollowed closely by Asia, Middle East and Africa, according to Trend Micro.
The general infection procedure that abuses Skype and Teams closely resembles a malspam campaign reported by Telekom Security at the end of August 2023with the exception of the change in the initial access route.
“The threat abused a relationship of trust between the two organizations to trick the recipient into executing the attached VBA script“said Trend Micro researchers Trent Bessell, Ryan Maglaque, Aira Marcelo, Jack Walsh and David Walsh.
The researchers later stated: “Access to the victim’s Skype account allowed the perpetrator [dell’hacking] to hijack an existing messaging discussion e change the extension and naming of files depending on the context of your chat history“.
The VBA script acts as a conduit for recover legitimate AutoIt application (AutoIt3.exe) and an associated AutoIT script responsible for launching the DarkGate malware.
Another attack sequence involves attackers sending a Microsoft Teams message containing a ZIP archive attachment with an LNK file which, in turn, is designed to run a VBA script to recover AutoIt3.exe and the DarkGate artifact.
“Cyber criminals they can use these payloads to infect systems with various types of malwareincluding information stealers, ransomware, malicious or abused remote management tools, and cryptocurrency miners“said the researchers.
The researchers therefore conclude by saying: “Until external messaging is allowed or abuse of trust relationships via compromised accounts is controlled, This initial login technique can be used with any instant messaging (IM) app.“.
#DarkGate #malware #disguises #PDF #files