{"id":17271,"date":"2023-10-25T10:28:39","date_gmt":"2023-10-25T10:28:39","guid":{"rendered":"https:\/\/gridinsoft.com\/blogs\/?p=17271"},"modified":"2023-10-25T10:31:04","modified_gmt":"2023-10-25T10:31:04","slug":"skype-microsoft-teams-spam-darkgate-loader","status":"publish","type":"post","link":"https:\/\/gridinsoft.com\/blogs\/skype-microsoft-teams-spam-darkgate-loader\/","title":{"rendered":"Skype & Microsoft Teams Spam Spreads DarkGate Loader"},"content":{"rendered":"

Over the past few years, DarkGate has been relatively inactive<\/strong>. However, several campaign deployments have been detected this year across the Americas, Asia, the Middle East, and Africa. They started to aim at Microsoft apps<\/strong>, such as Skype and Teams, for spreading to target systems.<\/p>\n

What is DarkGate Loader?<\/h2>\n

DarkGate Loader is a type of malware<\/a> that is capable of downloading and running other types of malware<\/strong>, including ransomware, trojans, and cryptocurrency miners. Additionally, it can be used to extract sensitive data<\/strong> from the victim’s computer, such as passwords, credit card numbers, and personal information.<\/p>\n

This malware is typically distributed via phishing emails<\/a> or malicious attachments. Once it is installed on the victim’s computer, it can communicate with a remote command<\/strong> and control (C2) server to receive instructions and download additional malware.<\/p>\n

\"Distribution
Distribution of DarkGate campaign (August -September 2023)<\/figcaption><\/figure>\n

DarkGate Loader has been gaining popularity<\/strong> among cybercriminals since its creator advertised it as a Malware-as-a-Service offering on popular forums in June 2023. Previously, DarkGate Loader was distributed using traditional email-based malspam<\/strong> campaigns, similar to those used by Emotet. However, an operator started using Microsoft Teams to deliver the malware<\/strong> in August via HR-themed social engineering chat messages. This new tactic has led to an increase in the number of DarkGate Loader infections.<\/p>\n

DarkGate Spreads Via Microsoft Teams And Skype Spam<\/h2>\n

A company has been facing a targeted phishing attack since late September. The attackers have been using Microsoft Teams functionality<\/strong> to deliver the DarkGate Loader malware<\/a>. Fortunately, all the employees were regularly trained to identify phishing attempts, and they promptly intervened. As a result, no employees, customers, or company resources were harmed during this incident. The malicious message was blocked before it could reach any of the employees.<\/p>\n

\"Phishing
Teams message with a malicious attachment<\/figcaption><\/figure>\n

After analyzing a recent case, we discovered that the DarkGate Loader malware was delivered in the payload of a ZIP archive<\/strong>. The image below illustrates the entire attack process, from the moment the Microsoft Teams message is sent to the execution of the DarkGate Loader:<\/p>\n

\"Microsoft<\/p>\n

In the next sample, the threat actor exploited a trusted relationship between two organizations to trick the recipient into running the attached VBA script<\/strong>. By gaining access to the victim’s Skype account, the attacker could take control of an existing messaging thread and create file names related to the chat history’s context.<\/p>\n

\"DarkGate
DarkGate infection chain abusing Skype<\/figcaption><\/figure>\n

The victims were sent a message from a compromised Skype account<\/strong>. The message contained a deceptive VBS script with a file name that followed the format: “ www.skype[.]vbs<\/code>“. The spacing in the file name was deliberately designed to trick the user<\/strong> into thinking that the file was a .PDF document while actually hiding the real format, which was www.skype[.]vbs<\/code>. In this sample, the recipient believed that the sender was someone from a trusted external supplier.<\/p>\n

Installation Consequences<\/h2>\n

Experts noticed that the threat was functioning as a downloader of further payloads. Once the DarkGate malware<\/a> was installed, it deposited files in both the <\u0421:\/Intel\/><\/code> and <%appdata%\/Adobe\/><\/code> directories, which aided in its attempt to disguise itself.<\/p>\n

The dropped files were identified as variations of either DarkGate or Remcos, most likely to enhance the attackers’ hold on the infected system<\/strong>. Below are some of the sample file names we came across for these additional payloads:<\/p>\n