A piece of malware called DarkGate has been seen spreading through instant messaging platforms like Skype and Microsoft Teams.
In these attacks, the messaging apps are used to deliver a Visual Basic for Applications (VBA) loader script that masquerades as a PDF document, which, when opened, triggers the download and execution of an AutoIt script designed to launch the malware.
“It’s unclear how the originating accounts of the instant messaging applications were compromised, however it is hypothesized to be either through leaked credentials available through underground forums or the previous compromise of the parent organization,” Trend Micro said in a new analysis published Thursday.
DarkGate, first documented by Fortinet in November 2018, is a commodity malware that incorporates a wide range of features to harvest sensitive data from web browsers, conduct cryptocurrency mining, and allow its operators to remotely control the infected hosts. It also functions as a downloader of additional payloads such as Remcos RAT.
Social engineering campaigns that distribute malware have seen a rise in recent months, taking advantage of early entry tactics like phishing emails and search engine optimization (SEO) poisoning to entice unwitting users to install it.
This increase follows the malware author’s decision to advertise the malware on underground forums and rent it to other threat actors on a malware-as-a-service basis after using it privately for years.
The use of Microsoft Teams chat messages as a propagation vector for Darkgate was revealed by Truesec earlier last month, indicating that it is likely to be used by a number of threat actors.
According to Trend Micro, the majority of attacks have been found in the US, followed by Asia, the Middle East and Africa.
Except for the change in the initial access path, the overall infection process abusing Skype and Teams resembles the malspam campaign reported by Telecom Security in late August 2023.
“The threat actor exploited a trusted relationship between the two organizations to trick the recipient into executing an attached VBA script,” said Trend Micro researchers Trent Bessell, Ryan Maglaque, Aira Marcelo, Jack Walsh and David Walsh.”
“Access to the victim’s Skype account allowed the actor to hijack an existing messaging thread and create a naming convention for files that referenced chat history.”
The VBA script serves as a medium to fetch the legitimate AutoIt application (AutoIt3.exe) and the associated AutoIT script responsible for launching the DarkGate malware.
An alternate attack sequence involves the attackers sending a Microsoft Teams message containing a ZIP archive attachment bearing an LNK file that, in turn, is designed to run a VBA script to retrieve AutoIt3.exe and the DarkGate artifact.
“Cybercriminals can use these payloads to infect systems with a variety of malware, including information stealers, ransomware, malicious and/or misused remote management tools, and cryptocurrency miners,” the researchers said.
“As long as external messaging is allowed, or abuse of trusted relationships through compromised accounts is unchecked, then this technique for initial entry can be done with any instant messaging (IM) apps.”