Threat actors were observed abusing Skype to distribute DarkGate malware as the sophisticated loader continues its recent resurgence in popularity.
Although DarkGate has been around since 2017, researchers have noticed a surge in campaigns deploying it since the middle of this year, speculating that the uptick in activity is the result of the malware’s developer advertising it for lease on dark web forums.
Last month, Trusec researchers reported observing compromised Microsoft 365 accounts sending Teams chat messages with malicious links leading victims to download the DarkGate loader in the form of a VBA script.
In an Oct. 12 post, researchers at Trend Micro outlined another ongoing campaign by unidentified threat actors to distribute DarkGate to targeted organizations. The campaign, which they observed between July and September, used the Skype messaging platform, as well as Teams.
Trend Micro said 41% of the attacks were against targets in the Americas, 31% hit Asia, the Middle East, and Africa, while the remaining 28% targeted Europe.
“It’s unclear how the originating accounts of the instant messaging applications were compromised, however [it] is hypothesized to be either through leaked credentials available through underground forums or the previous compromise of the parent organization,” the researchers said.
External messaging used to make initial contact
Having compromised a target’s Skype account, the threat actors hijacked an existing conversation thread, even going to the trouble of renaming the malicious VBS script (disguised as a PDF file) so it related to the context of the chat history.
In another case, the Trend Micro researchers observed the threat actors sending a message containing a malicious .LNK file from a compromised Microsoft Teams account to a target in another organization. This technique, similar to the attack method described by Trusec last month, is only possible if the victim is within an organization that allows Teams messages to be received from external senders — a feature Microsoft enables customers to switch off (although it is permitted by default).
The researchers observed a third method of delivering the VB script: via a .LNK file in a compressed file from the sender’s SharePoint site. The victim is encouraged to navigate to the SharePoint site and download a malicious file named “Significant company changes Septembger.zip.”
Once the DarkGate payload is executed, the malware achieves persistence by dropping a randomly named LNK file to the Windows User Startup folder, enabling automatic execution of the file at every system startup.
Trend Micro said in the cases it observed, the attacks were detected and contained before the threat actor could achieve their objectives. Exactly what those objects were remained unclear, and could vary given that DarkGate was actively marketed to a range of criminal gangs on the dark web.
“Cybercriminals can use these payloads to infect systems with various types of malware, including info stealers, ransomware, malicious and/or abused remote management tools, and cryptocurrency miners,” the researchers said.
They pointed out that in the case of the Skype attack, the threat actors had taken advantage of a messaging platform that an organization was actively using to communicate with third-party suppliers, making it easy to convince the victim to access the malicious file.
“As long as external messaging is allowed, or abuse of trusted relationships via compromised accounts is unchecked, then this technique for initial entry can be done to and with any instant messaging (IM) apps,” they said.
“The recipient [of the phishing message] was just the initial target to gain a foothold in the environment. The goal is still to penetrate the whole environment, and depending on the threat group that bought or leased the DarkGate variant used, the threats can vary from ransomware to cryptomining.”
