DarkGate malware, a multifunctional threat known for data harvesting, cryptocurrency mining, and remote control capabilities, has been found using popular instant messaging platforms like Skype and Microsoft Teams as a propagation vector. Cybercriminals leverage these platforms to deliver a Visual Basic for Applications (VBA) loader script, disguised as a PDF document, which triggers the download and execution of an AutoIt script when opened.
Researchers have not yet pinpointed how the originating accounts on these instant messaging apps were compromised, but speculate it could be through leaked credentials from underground forums or past compromises of parent organizations.
The use of instant messaging apps as a malware distribution method has seen a surge in recent months, with attackers employing social engineering tactics such as phishing emails and SEO poisoning to lure unsuspecting users into downloading the malware. The increase in such attacks coincides with the decision by DarkGate’s author to advertise and even rent out the malware on underground forums as a malware-as-a-service. This marks a shift from the malware’s previous private usage.
The majority of DarkGate attacks have been detected in the Americas, closely followed by Asia, the Middle East, and Africa. The modus operandi closely resembles a malspam campaign reported by Telekom Security in August 2023, with the main change being the initial access route through instant messaging apps.
Cybercriminals continue to exploit trusted relationships and unsuspecting users, emphasizing the need for vigilance, strong security defenses, and protection against the ever-evolving tactics of threat actors.
