Between July and September, a surge in DarkGate malware attacks was observed, leveraging compromised Skype accounts to target unsuspecting users. These attacks were characterized by messages containing VBA loader script attachments, which, when executed, would lead to the download and execution of the DarkGate malware payload.
Key Highlights:
- DarkGate malware attacks utilized compromised Skype accounts to spread malicious VBA loader script attachments.
- The malware’s second stage involves an AutoIt script that drops and executes the final DarkGate payload.
- The attackers were able to hijack existing Skype messaging threads, crafting file names to align with the chat’s context.
- The exact method of Skype account compromise remains unclear but could involve leaked credentials or prior organizational breaches.
- DarkGate operators also attempted to distribute their malware through Microsoft Teams, especially in configurations that accepted messages from external users.
The Modus Operandi:
Upon gaining access to a victim’s Skype account, the threat actor could seamlessly hijack an existing messaging thread. This allowed them to craft the naming convention of the malicious files to resonate with the chat’s history, making the threat even more deceptive. While the exact method of how these Skype accounts were compromised remains a mystery, there are speculations. Some believe it could be through leaked credentials available on underground forums, while others think it might be due to a prior compromise of the parent organization.
Microsoft Teams: Another Target:
Interestingly, Skype wasn’t the only platform in the crosshairs. Trend Micro researchers also observed attempts by DarkGate operators to push their malware payload through Microsoft Teams. This was especially prevalent in organizations where Teams was set up to accept messages from external users. Previous campaigns that targeted Microsoft Teams users with malicious VBScript to deploy the DarkGate malware were identified by cybersecurity firms like Truesec and Malwarebytes.
The Ultimate Goal:
The endgame for these attacks isn’t singular. Depending on the specific DarkGate variant and the threat group behind it, the objectives can range from deploying ransomware to cryptomining. Recent telemetry data has shown a connection between DarkGate and tools commonly associated with the Black Basta ransomware group.
DarkGate’s Growing Influence:
The cybercriminal landscape has seen a notable increase in the adoption of the DarkGate malware loader, especially for initial access into corporate networks. This trend became more pronounced following the disruption of the Qakbot botnet. Interestingly, an individual claiming to be DarkGate’s developer even tried to sell subscriptions on hacking forums, boasting a plethora of features for the malware. This recent spike in DarkGate’s activity highlights its growing stature as a malware-as-a-service (MaaS) operation and the relentless determination of its operators.
Summary:
The DarkGate malware has emerged as a significant threat, especially with its ability to compromise Skype accounts and spread through deceptive messages. The malware’s tactics are sophisticated, leveraging existing chat threads to make its malicious files appear legitimate. With the malware also targeting platforms like Microsoft Teams, it’s evident that the threat landscape is evolving. Organizations and individuals must remain vigilant, updating their cybersecurity measures to counter such evolving threats.