There has been a massive dissemination of the DarkGate Malware through MS-Teams (Microsoft-Teams), in a new discovery made by cybersecurity researchers.
Threat actors, are said to have adopted a phishing campaign mechanism, in the distribution of the malware to unsuspecting targets, using compromised Microsoft Teams account. It is known that the malware dark-gate has been in existence way back since the year 2017, as a miner and password stealer.
Although the malware has not been prominent over the years compared to recent times, which it is discovered to be more sophisticated, as threat actors are spreading the malware via Malvertising, and phishing campaigns.
The new traction gained by this malware has been discovered to be in connection with the malware developer intents in gaining more expansion to its affiliated partners. The malware developer is said to be offering the services of the malware for a price tag of USD$100,000 per year.
A Research conducted by TRUESEC cybersecurity Incident team by the name Jakob Nordenlund, indicates that a list of compromised Microsoft-365 accounts was responsible for sending Teams chat messages, which contain links to files embedded with malicious codes, and a phishing campaign method adopted by the attackers, with a DarkGate loader as the payload.
The attackers send zip-files to their targets, and prompting them to open the file, allegedly to contain vacation schedules for the organization they work for. The file which is sent, contains a malicious shortcut-link, masquerading as a pdf file. If the target unfortunately clicks on the link, they are automatically infected with the DarkGate Malware.
In a statement made by Jakob, in the recommendations, he stated:
“This attack was detected due to the security awareness training of the recipients. Unfortunately, current Microsoft Teams security features such as Safe Attachments, or Safe Links was not able to detect or block this attack.”
Currently, there are no other methods in preventing this attack except to allow Microsoft team chat to make request from specific domains. This certainly would affect an organizations business as IT administrators would be required to safelist these domains individually.
No doubt, that the DarkGate, has been making waves since the last few months, as information from SCMEDIA shows that there has been a series of reports since the past two months about the malware propagation. In an article they stated:
“Last month, a threat analyst 0xToxin and Deutsche Telekom Security, analyst Fabian Marquardt both posted about new email phishing campaign with DarkGate as the payload, while Malwarebytes director and threat intelligence Jerome Segura Outlined a DarkGate Malvertising campaign.”
The giant tech company which has always been a target for threat actors, notably, has been constantly falling into numerous attacks from Chinese hackers, Russian hackers, Korean hackers and more. The rise of the DarkGate Malvertising, sure adds to another list of numerous issues needed to be sorted out by Microsoft.
Truesec also stated the IOC (Indicator of Compromise), ranging from the difference file names (change to the vacation schedule.zip, changes to the vacation schedule.pdf.Ink, c:\tgph\asrxpm.vbs, c:\wbza\eszexz.au3), and hash values. Other information such as similar filenames, are available on Virus-Total.
Please do let us know in the comment section what are your thoughts about this.