Request a Quote

New DarkGate Malware Campaign Hits Companies Via Microsoft Teams

We Keep you Connected

New DarkGate Malware Campaign Hits Companies Via Microsoft Teams

New DarkGate Malware Campaign Hits Companies Via Microsoft Teams
Your email has been sent
Get technical details about how this new attack campaign is delivered via Microsoft Teams and how to protect your company from this loader malware.
A new report from global cybersecurity company Truesec reveals a new attack campaign leveraging Microsoft Teams to infect companies’ users. While the motivation of the attacker remains unknown, this DarkGate loader malware could allow its perpetrator to go for financial gain or cyberespionage.
Jump to:
DarkGate is a loader malware written in Delphi; the goal is to enable the download and execution of other malware once it runs on an infected computer. The additional malware is downloaded directly in the memory on 32- and 64-bits architectures, which makes it harder to detect because it doesn’t reside on the file system.
Other mechanisms implemented in the malware makes it more difficult to analyze:
Depending on the results of all these checks, the malware might alter its behavior and possibly stop running.
DarkGate has persistence capabilities that can be enabled in its configuration. In that case, it stores a copy of itself on the hard drive and creates a registry key to be executed at reboot times.
Although DarkGate is mostly a loader for third-parties’ malware, it still has built-in capabilities.
The attack consists of messages sent on Microsoft Teams by a threat actor who used two compromised Teams accounts for sale on the Dark Web. Those accounts were used to send socially engineered content to convince users to download and open a malicious archive file (Figure A).
Figure A
Once the zip file is opened, it shows the user a malicious LNK (shortcut) file posing as a PDF document (Figure B).
Figure B
After the LNK file is clicked, it executes a command line that triggers the download and execution of AutoIT via a VBScript file. A precompiled AutoIT script is also downloaded and executed via the AutoIT software.
In this attack campaign, the AutoIT script checks for the presence of the Sophos antivirus; other campaigns might check for other antivirus solutions. If the antivirus isn’t installed, the script downloads a shellcode that in turn downloads a file, byte by byte, using the stacked strings technique in an effort to stay undetected. That final payload is the DarkGate loader malware.
DarkGate loader was advertised in June 2023 by its developer RastaFarEye (Figure C), as shown in a report from German company Telekom Security.
Figure C
The threat actor limited the malware-as-a-service to only 10 affiliates at a monthly price of $15,000 USD, or $100,000 USD for a full year.
RastaFarEye also provided a video showing the malware builder and control panel (Figure D).
Figure D
DarkGate’s capabilities makes it a tool of choice for cybercriminals interested in financial fraud or threat actors interested in running cyberespionage campaigns.
In addition to developing DarkGate loader, RastaFarEye advertised more malware developed by himself, including on Mac operating systems. The cybercriminal also offered Extended Validation certificate creation services.
In this attack campaign, the threat actor sent messages via Microsoft Teams to organizations using it. So, it’s strongly advised not to allow Microsoft Teams chat requests from external domains that don’t belong to the organization; only whitelisted external domains should be allowed to send chat requests.
Other attack campaigns that delivered DarkGate loader used emails to try to social engineer the target into opening a malicious file, so it’s also advised to deploy security solutions that analyze the URLs contained in emails in addition to attached files.
All operating systems and software should be up to date and patched to prevent being compromised by common vulnerabilities.
Multifactor authentication should be deployed wherever possible, so that even a threat actor in possession of valid credentials still cannot access the corporate environment.
Strengthen your organization’s IT security defenses by keeping abreast of the latest cybersecurity news, solutions, and best practices.
New DarkGate Malware Campaign Hits Companies Via Microsoft Teams
Your email has been sent
Your message has been sent
TechRepublic Premium content helps you solve your toughest IT issues and jump-start your career or next project.
Microsoft is also running a grant competition for ideas on using AI training in community building.
Generative AI will be a game changer in cloud security, especially in common pain points like preventing threats, reducing toil from repetitive tasks, and bridging the cybersecurity talent gap.
Does your business need a payroll provider that offers international payroll services? Use our buyer’s guide to review the best solutions, from ADP to Oyster.
Get up and running with ChatGPT with this comprehensive cheat sheet. Learn everything from how to sign up for free to enterprise use cases, and start using ChatGPT quickly and effectively.
Looking for an alternative to monday.com? Our comprehensive list covers the best monday alternatives, their key features, pricing, pros, cons and more.
Strengthen your organization’s IT security defenses by keeping abreast of the latest cybersecurity news, solutions, and best practices.
Software automation is used for many business and IT processes, depending on industry vertical and individual company business and IT needs. These guidelines from TechRepublic Premium provide general categories of consideration that should be taken into account as part of your due diligence during the formation of a software automation policy. From the guidelines: WHO …
In rare, but not unprecedented circumstances, local law enforcement or other official local authorities will issue a shelter-in-place order. Typically, such an order applies to a small geographical area that may include one or more enterprise facilities. Shelter-in-place orders usually last for a few hours. This policy from TechRepublic Premium will certify compliance with the …
Without appropriate access management controls, businesses are at significant risk from the loss or theft of both physical and digital assets. Access management controls establish who is allowed the appropriate level of access in order to do their jobs, while reducing the potential for damage or harm to the company. The purpose of this policy …
The purpose of this policy from TechRepublic Premium is to provide guidelines for the proper use of peer-to-peer file sharing. It includes an authorization form for approval of P2P file transmission, which sets the conditions and parameters in which this data exchange must occur. From the policy: P2P applications should only be used to send …

source

 

Enterprise Guardian (EnGuard) specializes in HIPAA Compliant Email for the Healthcare Industry.
HIPAA Compliant Email, Telehealth & Cloud Made Easy.

 

GET THE LATEST UPDATES, OFFERS, INFORMATION & MORE