Carding 4 Carders
Professional
Check if your Skype and Teams correspondence is already compromised.
Researchers at Trend Micro discovered a new malware campaign in which cybercriminals use hacked Skype and Microsoft Teams accounts to spread DarkGate malware that can steal information, log keystrokes, mine cryptocurrency, and encrypt files.
Trend Micro specialists also observed how the developer DarkGate began advertising malware on underground forums and renting it out on the basis of the MaaS model (Malware-as-a-Service) to other hackers.
DarkGate operator uses Skype and Teams to distribute malware. In one of the attacks, an attacker took control of the Skype account of an employee of an organization with which the victim had a trusted relationship, and used this account to send a message.
Essentially, the cybercriminal used a compromised Skype account to intercept an existing message thread and send a message that contained a malicious VBS script disguised as a PDF file. When the recipient has opened the file, DarkGate is downloaded and installed on the target computer.
In another attack analyzed by Trend Micro, the attacker attempted to achieve the same result by using the Teams account to send a message with a malicious LNK file to the target recipient. Unlike the Skype attack, where the hacker pretended to be a trusted person, in the version with Teams, the victim received a malicious message from an unknown sender.
Trend Micro's analysis showed that once installed in the system, DarkGate delivers additional payloads. Sometimes these are variants of DarkGate itself or the Remote Access Trojan (RAT) Remcos, which attackers usually use for cyber espionage and theft of confidential information. The attacker's goal was obviously to use the systems as an initial foothold in the target organization's networks.
DarkGate has been targeting users in various regions of the world since 2017. In the detected campaign, which started in August, 41% of the targets are located in the Americas, 31% in Asia, the Middle East and Africa, and 28% in Europe.
The malware integrates several functions. For example, it can execute commands to collect information about the system, map networks, and crawl directories. To deliver and execute the payload, DarkGate uses AutoIt, a legitimate automation and scripting tool for Windows that authors of other malware families have used to obfuscate and bypass protection.
Trend Micro said it was able to contain the observed DarkGate attacks before any real damage was done. But given the developer's apparent turn to the MaaS model and the rental of malware, corporate security professionals can expect more attacks from various attackers.
Trend Micro recommends that organizations introduce rules for using Skype and Teams, which should include blocking external domains, controlling the use of attachments, and implementing scanning measures, if possible. Multi-factor Authentication (MFA) is also key to preventing malicious users from misusing their credentials.
Researchers at Trend Micro discovered a new malware campaign in which cybercriminals use hacked Skype and Microsoft Teams accounts to spread DarkGate malware that can steal information, log keystrokes, mine cryptocurrency, and encrypt files.
Trend Micro specialists also observed how the developer DarkGate began advertising malware on underground forums and renting it out on the basis of the MaaS model (Malware-as-a-Service) to other hackers.
DarkGate operator uses Skype and Teams to distribute malware. In one of the attacks, an attacker took control of the Skype account of an employee of an organization with which the victim had a trusted relationship, and used this account to send a message.
Essentially, the cybercriminal used a compromised Skype account to intercept an existing message thread and send a message that contained a malicious VBS script disguised as a PDF file. When the recipient has opened the file, DarkGate is downloaded and installed on the target computer.
In another attack analyzed by Trend Micro, the attacker attempted to achieve the same result by using the Teams account to send a message with a malicious LNK file to the target recipient. Unlike the Skype attack, where the hacker pretended to be a trusted person, in the version with Teams, the victim received a malicious message from an unknown sender.
Trend Micro's analysis showed that once installed in the system, DarkGate delivers additional payloads. Sometimes these are variants of DarkGate itself or the Remote Access Trojan (RAT) Remcos, which attackers usually use for cyber espionage and theft of confidential information. The attacker's goal was obviously to use the systems as an initial foothold in the target organization's networks.
DarkGate has been targeting users in various regions of the world since 2017. In the detected campaign, which started in August, 41% of the targets are located in the Americas, 31% in Asia, the Middle East and Africa, and 28% in Europe.
The malware integrates several functions. For example, it can execute commands to collect information about the system, map networks, and crawl directories. To deliver and execute the payload, DarkGate uses AutoIt, a legitimate automation and scripting tool for Windows that authors of other malware families have used to obfuscate and bypass protection.
Trend Micro said it was able to contain the observed DarkGate attacks before any real damage was done. But given the developer's apparent turn to the MaaS model and the rental of malware, corporate security professionals can expect more attacks from various attackers.
Trend Micro recommends that organizations introduce rules for using Skype and Teams, which should include blocking external domains, controlling the use of attachments, and implementing scanning measures, if possible. Multi-factor Authentication (MFA) is also key to preventing malicious users from misusing their credentials.
