The Information Highway

The Information Highway

Font size: +
2 minutes reading time (388 words)

DarkGate malware spreads through compromised Skype accounts

Between July and September, DarkGate malware attacks have used compromised Skype accounts to infect targets through messages containing VBA loader script attachments. 

According to Trend Micro security researchers who spotted the attacks, this script downloads a second-stage AutoIT script designed to drop and execute the final DarkGate malware payload.

"Access to the victim's Skype account allowed the actor to hijack an existing messaging thread and craft the naming convention of the files to relate to the context of the chat history," Trend Micro said

"It's unclear how the originating accounts of the instant messaging applications were compromised, however is hypothesized to be either through leaked credentials available through underground forums or the previous compromise of the parent organization,"

Trend Micro also observed the DarkGate operators trying to push their malware payload through Microsoft Teams in organizations where the service was configured to accept messages from external users.

Teams phishing campaigns using malicious VBScript to deploy DarkGate malware were previously spotted by Truesec and MalwareBytes.

As they explained, malicious actors targeted Microsoft Teams users via compromised Office 365 accounts outside their organizations and a publicly available tool named TeamsPhisher. This tool enables attackers to bypass restrictions for incoming files from external tenants and send phishing attachments to Teams users.

DarkGate delivery via Skype (Trend Micro)

"The goal is still to penetrate the whole environment, and depending on the threat group that bought or leased the DarkGate variant used, the threats can vary from ransomware to cryptomining," Trend Micro said.

"From our telemetry, we have seen DarkGate leading to tooling being detected commonly associated with the Black Basta ransomware group." 

DarkGate malware surge

The malware was touted to offer a wide range of features, including a concealed VNC, capabilities to bypass Windows Defender, a browser history theft tool, an integrated reverse proxy, a file manager, and a Discord token stealer.

Following this announcement, there's been a noticeable uptick in reports documenting DarkGate infections via various delivery methods, such as phishing and malvertising.

This recent surge in DarkGate activity underscores the growing influence of this malware-as-a-service (MaaS) operation within the cybercriminal sphere.

It also emphasizes the threat actors' determination to continue their attacks, adapting their tactics and methods despite disruptions and challenges. 

Qubitstrike attacks rootkit Jupyter Linux servers ...
23andMe hit with lawsuits after hacker leaks stole...
 

Comments

No comments made yet. Be the first to submit a comment
Monday, 23 December 2024

Captcha Image

Top Breaches Of 2023

Customers Affected In T-Mobile Breach
Accounts Affected In MOVEit Breach
Customers Affected In MCNA Insurance Data Breach
Individuals Affected In PharMerica Data Breach
Users Affected In ChatGPT Major Data Breach
*Founder Shield End of Year 2023