October 15, 2023 at 01:53PM
DarkGate malware attacks have been using compromised Skype accounts to infect targets. The attacks involve VBA loader script attachments that download an AutoIT script to drop and execute the final DarkGate malware payload. Trend Micro researchers also observed DarkGate being pushed through Microsoft Teams. The malware-as-a-service operation has seen a surge in activity, indicating the determination of threat actors to continue their attacks.
Key Takeaways from Meeting Notes:
1. DarkGate malware attacks have been observed between July and September.
2. These attacks use compromised Skype accounts to infect targets through messages with VBA loader script attachments.
3. The VBA loader script downloads a second-stage AutoIT script, which drops and executes the final DarkGate malware payload.
4. The attackers hijack existing messaging threads on Skype and craft file names related to the chat history.
5. It is unclear how the instant messaging application accounts were compromised, but it is speculated to be leaked credentials or compromise of the parent organization.
6. DarkGate operators have also attempted to push malware payloads through Microsoft Teams, targeting organizations where the service allows external messages.
7. Teams phishing campaigns using malicious VBScript and the tool TeamsPhisher have been spotted targeting Teams users via compromised Office 365 accounts and bypassing file restrictions.
8. The purpose of the DarkGate attacks is to gain access to the entire environment, with varying threats from ransomware to cryptomining depending on the threat group using the malware.
9. DarkGate malware has gained popularity among cybercriminals for initial access into corporate networks following the disruption of the Qakbot botnet.
10. The DarkGate malware offers various features, including concealed VNC, Windows Defender bypass, browser history theft, reverse proxy, file manager, and Discord token stealing.
11. There has been a significant increase in DarkGate infections through phishing and malvertising methods.
12. The surge in DarkGate malware activity highlights the growing influence of this malware-as-a-service operation in the cybercriminal sphere and the determination of threat actors to adapt their tactics despite disruptions and challenges.