October 12, 2023 at 04:59PM
A threat actor is using compromised Skype and Microsoft Teams accounts to distribute DarkGate, a malware associated with information theft, keylogging, cryptocurrency mining, and ransomware. The campaign targets organizations in the Americas, and the developer of DarkGate is advertising it on underground forums and leasing it out as a service to other threat actors. Microsoft phishing via Skype and Teams is being used to deliver the malware, and organizations should enforce rules and implement security measures to prevent such attacks.
Takeaways from the meeting notes:
– A threat actor is using compromised Skype and Microsoft Teams accounts to distribute DarkGate, a malware associated with multiple malicious activities.
– The campaign has primarily targeted organizations in the Americas and has been active since August.
– The developer of DarkGate has started advertising the malware on underground forums and renting it out on a malware-as-a-service basis.
– DarkGate has recently seen a surge in activity after a period of relative inactivity.
– In the attacks analyzed, the threat actor used compromised Skype and Teams accounts to send malicious files to target recipients.
– The malware has various capabilities, including information theft, keylogging, cryptocurrency mining, and ransomware.
– DarkGate drops additional payloads once installed, including variants of DarkGate itself and the remote access Trojan, Remcos.
– Organizations should enforce rules around the use of instant messaging applications like Skype and Teams, including blocking external domains, controlling attachments, and implementing scanning measures if possible.
– Multifactor authentication is crucial to prevent threat actors from misusing illegally obtained credentials to hijack IM accounts.