A threat actor is currently using compromised Skype and Microsoft Teams accounts to distribute DarkGate [2], a powerful malware capable of performing various malicious activities [3]. This ongoing campaign [1], which began in late August 2023, specifically targets Microsoft Teams messages by sending malicious attachments disguised as PDF documents. These attachments contain malicious VBScript that triggers an infection chain leading to the installation of DarkGate Loader malware.

Description

DarkGate is a malware that has been targeting users worldwide since 2017 [2]. It possesses the ability to execute commands, drop additional payloads (including variants of DarkGate itself and the Remcos remote access Trojan) [2], and escalate privileges. Recently, the developer of DarkGate has started advertising the malware on underground forums and offering it as a service to other threat actors [2], resulting in a surge in DarkGate activity [2].

The distribution of DarkGate has been increasing through various channels, making it an emerging threat that should be closely monitored [3]. Organizations should be prepared for more attacks from different threat actors utilizing DarkGate for various purposes [2]. Trend Micro has been successful in containing observed DarkGate attacks, but it is crucial for organizations to take proactive measures to mitigate the risk.

To mitigate the risk posed by DarkGate, organizations should enforce rules regarding instant messaging applications [2], implement scanning measures [2], and utilize multifactor authentication to prevent the misuse of credentials [2]. Microsoft has recommended applying safe configurations and disabling external access if not necessary [3].

Conclusion

DarkGate poses a significant threat due to its capabilities and increasing distribution. Organizations must remain vigilant and take necessary precautions to protect their systems and data. By enforcing security measures and following Microsoft’s recommendations, the risk of DarkGate attacks can be minimized. Continued monitoring and awareness of emerging threats like DarkGate are essential to stay ahead of potential attacks.

References

[1] https://www.trendmicro.com/fr_fr/research/23/j/darkgate-opens-organizations-for-attack-via-skype-teams.html
[2] https://www.darkreading.com/attacks-breaches/darkgate-operator-skype-teams-messages-distribute-malware
[3] https://www.todaysgeneralcounsel.com/darkgate-threatens-microsoft-teams-with-phishing-attack/