Security researchers at Trend Micro have reported attacks launched by DarkGate malware perpetrators who have utilized Skype accounts breached to infect targets through message-attached VBA loader script. “The victim's Skype account gave the actors the ability to hijack an existing chat thread and aptly name the files in relation to the conversation history context,” Trend Micro commented.
There is no clarity yet on how the initiation accounts of the messaging applications were compromised. Trend Micro speculated that this could be due to credentials leakage that are available on underground forums or a previous compromise within the primary organization.
Microsoft Teams Also a Route for DarkGate Spread
Upon their investigation, Trend Micro further noted that the DarkGate criminals were also attempting to push their malware via Microsoft Teams for companies that had enabled their service to accept messages from external users. Earlier phishing campaigns on Teams using a malevolent VBScript to deploy DarkGate were observed by Truesec and MalwareBytes.
We reported on the DarkGate malware leveraging fake Teams meetings last month. These malicious actors were targeting Microsoft Teams users via compromised Office 365 accounts from outside their organizations, using a readily available tool dubbed TeamsPhisher. This tool allowed attackers to bypass incoming file restrictions from external tenants, thereby sending phishing attachments to the Teams' users.
“The primary ambition is to penetrate the whole environment, where the threats fluctuate from ransomware to cryptomining based on the threat group purchasing or leasing the DarkGate variant,” Trend Micro stated. “From our telemetry, we observed DarkGate was leading to detection of tools commonly linked to the Black Basta ransomware group.”
DarkGate: A Preferred Tool for Cybercriminal's Initial Network Access
Since the disruption of the Qakbot botnet in August by international collaborative campaigns, cybercriminals have increasingly adopted the usage of DarkGate malware loader as their primary choice for initial corporate network access. Prior to Qakbot's breakdown, an individual claiming to be DarkGate's developer tried to retail subscriptions on a hacking forum, setting an annual fee of up to $100,000.
The malware was promised to offer numerous features, including a concealed VNC, the ability to bypass Windows Defender, a browser history theft tool, an integrated reverse proxy, a file manager, and a Discord token stealer.
Posts documenting DarkGate infections through various delivery methods, such as phishing and malvertising, have since seen a remarkable increase. This surge indicates the deepening influence of this malware-as-a-service (MaaS) operation in the cybercriminal space, highlighting criminals' determination to adapt and change their tactics despite setbacks.
What is the DarkGate Malware?
The malware is equipped with various features, including persistence mechanisms, privilege escalation, defense evasion techniques, and credential access. It can detect and evade common sandbox and virtual machine (VM) solutions, check for well-known Antivirus products, and even masquerade its presence by injecting itself into legitimate Windows processes. Additionally, it can steal data from various programs, ranging from web browsers to software like Discord and FileZilla.