Malicious DarkGate Malware Spreading Through Messaging Services by Disguising as PDF Documents

DarkGate malware, which is a malicious software, has been observed spreading through instant messaging platforms like Skype and Microsoft Teams.

In these attacks, messaging apps are used to deliver a Visual Basic for Applications (VBA) loader script that pretends to be a PDF file. When opened, this fake PDF triggers the download and execution of an AutoIt script designed to launch the malware.

The exact method through which the hackers gained access to the instant messaging accounts is unclear, but it is suspected to be either through leaked login credentials available on underground forums or through compromising the organization itself.

DarkGate, initially documented by Fortinet in November 2018, is a versatile malware that can steal sensitive data from web browsers, conduct cryptocurrency mining, and enable remote control of infected computers. It also acts as a downloader for additional malicious payloads like Remcos RAT.

Recent social engineering campaigns distributing DarkGate have seen an increase, using tactics like phishing emails and search engine optimization (SEO) manipulation to trick unsuspecting users into installing the malware. This uptick in activity followed the decision of the malware’s creator to advertise it on underground forums and offer it as a malware-as-a-service to other threat actors, after years of private use.

The use of Microsoft Teams chat messages as a means to spread DarkGate was previously pointed out by Truesec, indicating that multiple threat actors may be utilizing it. Most of the attacks have been detected in the Americas, with Asia, the Middle East, and Africa following closely, according to Trend Micro.

The overall infection process, involving Skype and Teams, closely resembles a malspam campaign reported by Telekom Security in late August 2023, with the only difference being the initial access route. The threat actors exploited a trusted relationship between two organizations to deceive the recipient into executing the attached VBA script. They also hijacked an existing messaging thread to make the files appear related to the chat history.

The VBA script serves as a conduit to retrieve the legitimate AutoIt application (AutoIt3.exe) and an associated AutoIT script responsible for launching the DarkGate malware.

In an alternate attack sequence, the attackers send a Microsoft Teams message containing a ZIP archive attachment with an LNK file designed to run a VBA script to retrieve AutoIt3.exe and the DarkGate artifact.

These payloads can be used by cybercriminals to infect systems with various types of malware, including information stealers, ransomware, malicious remote management tools, and cryptocurrency miners.

As long as external messaging is allowed or abuse of trusted relationships via compromised accounts goes unchecked, this technique for initial entry can be employed with any instant messaging app.