October 13, 2023 at 07:06AM
DarkGate, a piece of malware, is being spread through instant messaging platforms like Skype and Microsoft Teams. The malware is delivered disguised as a PDF document and triggers the download and execution of an AutoIt script that launches the malware. The malware can harvest sensitive data, conduct cryptocurrency mining, and allow remote control of infected hosts. It is often distributed through social engineering campaigns and has seen a recent surge in attacks. The use of Microsoft Teams as a propagation vector suggests multiple threat actors are involved. Attacks have been detected primarily in the Americas, followed by Asia, the Middle East, and Africa.
Key Takeaways from Meeting Notes:
– A piece of malware called DarkGate is being spread through instant messaging platforms like Skype and Microsoft Teams.
– The malware is delivered through Visual Basic for Applications (VBA) loader scripts disguised as PDF documents.
– The DarkGate malware can harvest sensitive data, conduct cryptocurrency mining, and allow remote control over infected hosts.
– Social engineering campaigns, such as phishing emails and search engine optimization (SEO) poisoning, are used to entice users into installing the malware.
– DarkGate was previously advertised on underground forums and is now rented out as a malware-as-a-service.
– Microsoft Teams chat messages are being used as a propagation vector for DarkGate.
– Majority of the attacks have been detected in the Americas, followed by Asia, the Middle East, and Africa.
– The attackers abuse trusted relationships between organizations to deceive recipients into executing the attached VBA scripts.
– The VBA scripts fetch legitimate applications like AutoIt3.exe and associated scripts to launch the DarkGate malware.
– Alternate attack sequences involve sending ZIP archive attachments containing LNK files that run VBA scripts to retrieve AutoIt3.exe and DarkGate.
– The DarkGate malware can be used to infect systems with various types of malware, including info stealers, ransomware, and cryptocurrency miners.
– The ability to send external messages and the misuse of compromised accounts can lead to the technique of initial entry being used with any instant messaging apps.