Compromised Skype accounts deliver DarkGate malware to employees

A threat actor is using compromised Skype accounts to deliver the DarkGate malware to target organizations, Trend Micro researchers have warned.

DarkGate malware Skype

“Versions of DarkGate have been advertised on Russian language forum eCrime since May 2023. Since then, an increase in the number of initial entry attacks using the malware has been observed,” they noted.

DarkGate malware comes via Skype and Teams

The threat actor leverages compromised Skype accounts to contact employees at target organization by impersonating a trusted external supplier.

“Access to the victim’s Skype account allowed the actor to hijack an existing messaging thread and craft the naming convention of the files to relate to the context of the chat history,” Trend Micro’s researchers noted.

“It’s unclear how the originating accounts of the instant messaging applications were compromised, however is hypothesized to be either through leaked credentials available through underground forums or the previous compromise of the parent organization.”

The Skype message contains a VBS script posing as a PDF file. Once executed by the victim, the script downloads and executes an AutoIT script to finally drop the DarkGate malware. The researchers also discovered that after being installed on the victim’s system, DarkGate drops additional payloads.

DarkGate malware Skype

DarkGate infection chain abusing Skype. (Source: Trend Micro)

Delivery of the DarkGate malware is not executed just via Skype. In an another instance, the threat actor contacted employees of a target organization via Microsoft Teams, as the organization’s system allowed the victim to receive messages from external users.

“While the Skype routine masqueraded the VBS file as a PDF document, in the Teams version of compromise, the attackers concealed a .LNK file instead. Moreover, the sample that abused Teams came from an unknown, external sender,” they noted.

Sending malware directly into targets’ MS Teams inbox is a relatively new attack tactic. The “vulnerability” that makes the attack possible was documented by Jumpsec researchers earlier this year, and it didn’t take long for attackers to start abusing it.

Finally, the researchers also spotted a third delivery method of the VBA script: via a .LNK file that arrives in a .ZIP file from the originators’ SharePoint site.

Organizations are urged to step up their security awareness training and to control the use of IM applications by enforcing the blocking external domains, controlling attachments, implementing scanning and multifactor authentication to better secure user accounts.

Why DarkGate? Why now?

First documented in late 2017, DarkGate is loader malware that can execut discovery commands, implement (legitimate) remote access software, log keystrokes, steal information stored by browsers, annd

“DarkGate also uses a Windows-specific automation and scripting tool called AutoIt to deliver and execute its malicious capabilities. Historically, however, none of the notable loaders like IcedID, Emotet, or Qakbot have been observed to abuse it, making it easier for researchers or security teams to link the activity to the malware campaign,” Trend Micro researchers noted.

Depending on who bought (or leased) the DarkGate variant used in specific attacks, the follow-up of a DarkGate infection might include covert cryptomining or ransomware delivery. “From our telemetry, we have seen DarkGate leading to tooling being detected commonly associated with the Black Basta ransomware group.”

DarkGate’s recent popularity might be down to law enforcement disruptions of the Emotet and Qakbot botnets, which were previously extensively used by attackers to deliver all kinds of malware to a wide pool of targets.

Don't miss