Researchers have seen a spike in the distribution of DarkGate, a sophisticated malware that spreads through a phishing campaign using compromised Microsoft Teams accounts.
Active since 2017, DarkGate has been relatively unknown until the middle of this year when the distribution of an enhanced version of the malware was observed through email phishing and malvertising campaigns.
Researchers have identified that Microsoft 365 accounts sending teams chat messages with links to malicious files as part of a phishing campaign with a DarkGate loader as the payload.
The victims were prompted to open a ZIP file purportedly containing a changed staff vacation schedule for their organization. The ZIP file contained a malicious LNK file disguised as a PDF document. If clicked on, it ultimately resulted in DarkGate malware being executed on the target system.
Right now, the only way to prevent this attack vector within Microsoft Teams is to only allow Microsoft Teams chat requests from specific external domains, albeit it might have business implications since all trusted external domains need to be whitelisted by an IT administrator. Said the researcher.
Two months earlier, ZeroFox circulated a dark web forum post by a threat actor calling themselves “RastaFarEye” who appeared to be the developer of DarkGate.
The poster said they had spent over 20,000 hours since 2017 developing the malware which they described as “the ultimate tool for pentesters/redteamers”.
The threat actor said they were offering DarkGate to a small number of new affiliates and had “4/10 slots available”. The non-negotiable price to use the malware was $1000 for a day, $15,000 for a month, or $100,000 for a year.
While it is possible the recent spike in attacks may be linked to threat actors responding to RastaFarEye’s bid to hire out DarkGate as a ransomware-as-a-service offering, it is not known whether any threat actors have taken up the offer to become affiliates for $100,000 a year asking price.
This research was documented by researchers from TrueSec.
Indicators of Compromise
- hXXp:// 5[.]188[.]87[.]58:2351/msiwbzadczl