HQ/EMEAFind out how we can help your business
A newly discovered chain of DarkGate malware attacks from July to September has compromised numerous Skype accounts to deploy malicious payloads to its targets.
The malware operators accomplished these campaigns by sending messages that store VBA loader script attachments. Based on reports, the VBA loader script in the notes downloads a second-stage AutoIT script. Next, this AutoIT script could drop and run the final payload of the DarkGate malware campaign.
After investigating one of the victims’ Skype accounts, the attackers could hijack existing messaging threads and manipulate file names to make them appear relevant to the ongoing chat history.
The analysis could not verify the exact method of how the attackers compromised the messaging app accounts. However, some research believed this could have been caused by leaked credentials available on underground forums or previous breaches within parent organisations.
The DarkGate malware campaign has also tried its luck on MS Teams.
In a separate instance, the DarkGate malware campaign has attempted to spread its malware payload through Microsoft Teams in organisations by configuring the service to accept external user messages.
In these operations, the attackers targeted MS Teams users using compromised Office 365 accounts outside their organisations and a publicly available tool called TeamsPhisher. This publicly available tool enabled the threat actors to bypass restrictions on incoming files from external tenants and send phishing attachments to Teams users.
The main objective of these attacks is to infiltrate the entire environment. Depending on the specific threat group using the DarkGate variant, the risks can range from ransomware attacks to cryptocurrency mining activities.
DarkGate has become a prevalent malware choice for threat groups wanting initial corporate network access. This trend is proof after the disruption of the Qakbot botnet in August—the attack from international collaborative efforts. The incident allowed numerous investigations to detail various DarkGate infections through multiple delivery methods.
This recent surge in DarkGate activity shows the increasing influence of this malware-as-a-service (MaaS) operation in the cybercriminal community. Lastly, it also highlights the dedication of the threat actors to create a persistent cyberattack, even in the face of security disruptions and challenges, by adapting their tactics and methods.
