Advisory ID: NCC-CSIRT-161023-038
Summary: Trend Micro security researchers discovered DarkGate, a piece of malware that is being spread via instant messaging platforms such as Microsoft Teams and Skype. On successful compromise, the malware has a wide range of features that allow its operators to remotely control the infected devices while also collecting sensitive data from web browsers and mining cryptocurrencies. Additionally, access to the victim's Skype and Microsoft Teams accounts allowed the actor to hijack an existing messaging thread and craft the naming convention of the files to relate to the context of the chat history.
Threat Type(s): Malware, and Phishing
Impact/Vulnerability: HIGH/CRITICAL
Product(s): Android and iOS device types, including mobile phones, tablets, and CTV products.
Platform(s): Android and iOS Operating Systems
Version(s): All Versions
Description: According to the researchers, the attackers leveraged compromised Skype accounts to infect targets via a Visual Basic for Applications (VBA) loader script disguised as a PDF attachment. When read, the VBA causes the download and execution of an AutoIt script meant to start the DarkGate malware.
Moreover, malicious actors targeted Microsoft Teams users via compromised Office 365 accounts outside their organizations and a publicly available tool named TeamsPhisher. This tool enables attackers to bypass restrictions for incoming files from external tenants and send phishing attachments to Teams users.
Although, the researchers declared that it is yet unclear how the originating accounts of the messaging apps were compromised, it is hypothesized to be either through leaked credentials or a previous compromise of the parent organization.
Consequences: The malware offers a wide range feature, including concealing a Virtual Network Computing (VNC) graphical desktop-sharing system, capabilities to bypass Windows Defender, a browser history theft tool, an integrated reverse proxy, a file manager, and a Discord token stealer..
Solution:
- Organizations should enforce rules regarding instant messaging applications.
- Install and scan your system with strong and reliable anti-malware solution.
- Be wary of emails and SMS containing malicious attachments
- Utilize multifactor authentication on your system to prevent the misuse of credentials.
- Apply safe configurations and disabling external access to your Microsoft Team if not necessary.
References:
https://www.bleepingcomputer.com/news/security/darkgate-malware-spreads-through-compromised-skype-accounts/
https://heimdalsecurity.com/blog/darkgate-malware-spreaded-via-pdf-files-through-microsoft-teams-and-skype/
https://www.redpacketsecurity.com/darkgate-malware-spreads-through-compromised-skype-accounts/
https://thehackernews.com/2023/10/darkgate-malware-spreading-via.html
https://nquiringminds.com/cybernews/darkgate-malware-distributed-through-compromised-skype-and-microsoft-teams-accounts/
https://cybersecuritynews.com/hackers-abusing-skype/
https://www.techrepublic.com/article/darkgate-loader-malware-microsoft-teams/
https://www.trendmicro.com/en_us/research/23/j/darkgate-opens-organizations-for-attack-via-skype-teams.html