The notorious DarkGate malware has become active again, as it now spreads via compromised Skype accounts. Researchers warn users to remain cautious while interacting with unknown accounts.
DarkGate Malware Spreads Via Compromised Skype Accounts
According to a recent report from Trend Micro, the DarkGate malware has re-emerged after remaining dormant for a few years. As observed, DarkGate exploits instant messaging platforms, like Skype, to spread malicious scripts that, in turn, download the malware on the target devices.
DarkGate first made it to the news in 2017, but it remained somewhat inactive during the past few years. However, beginning 2023, Malwarebytes and TrueSec observed the malware re-appearing in the wild. And it now caught the attention of Trend Micro researchers via its recent campaigns.
In the recent attacks, DarkGate used compromised Skype accounts to spread its infections. It remains unclear how the threat actors behind this campaign identified those accounts, but the researchers suspect previous breaches to have provided the login credentials.
The attack begins by luring the victim user into downloading a maliciously crafted file, such as PDF, with the VBA script. Clicking the file executes the AutoIt automation and scripting tool to execute the malware.
Regarding the malware features, the researchers found it possesses remote access capabilities using RDP or AnyDesk, crypto mining, keylogging, gaining elevated privileges, self-update and management, and executing discovery commands. Moreover, the malware also steals browser information from the target devices.
The threat actors use the compromised Skype accounts trusted by the target organizations’ contacts to lure the users. In other cases, the researchers also noticed the exploitation of Microsoft Teams to spread the malware. Again, the attack involves tricking the victim user into clicking a maliciously crafted file.
Users Must Remain Careful When Interacting With File Attachments
The recent DarkGate campaign targeted users across America (41%), followed by Asia, Africa, and the Middle East (31%), and then the European region (28%).
The researchers advise organizations to remain careful regarding the use of IM apps. Also, they suggest applying file scanning, especially for IM apps, implementing multi-factor authentication to ensure secure logins, and deploying app allowlists to prevent the execution of unnecessary apps, such as AutoIt, by unauthorized users.
Let us know your thoughts in the comments.