DarkGate Malware Spreading via Messaging Services Posing as PDF Files

Cyber Security Threat Summary:
The DarkGate malware is being spread through messaging platforms like Skype and Microsoft Teams. It disguises itself as a PDF document, but contains a harmful script that downloads and runs the malware. It’s uncertain how the attackers compromised the messaging app accounts, but it’s suspected to be due to leaked credentials or a previous compromise of the organization.

DarkGate, initially discovered by Fortinet in November 2018, is a versatile malware that steals data, mines cryptocurrency, executes discovery commands, performs keylogging, and allows remote control of infected devices. It’s also used to download other malicious payloads like Remcos RAT. Lately, there has been a surge in social engineering campaigns to distribute the malware, using tactics like phishing emails, and search engine optimization tricks. The malware was advertised on underground forums and offered as service to other malicious actors. These attacks have primarily been detected in the Americas, followed by Asia, the Middle East, and Africa. The use of Microsoft Teams for spreading Dark Gate was highlighted earlier, indicating it’s being used by multiple threat actors.

Security Officer Comments:
In this instance, the attack was identified and controlled before the attacker could achieve their goals. However, it’s worth noting that the attacker’s intentions may change based on the affiliates involved. Cybercriminals can use these tools to infect systems with various types of malware, including data theft programs, ransomware, malicious remote management tools, and cryptocurrency miners. In the specific incident discussed, Skype was legitimately used to communicate with third party suppliers, making it easier for the attacker to infiltrate and entice users into accessing the malicious file. The initial target was just a stepping stone used to infiltrate the entire environment. The nature of the threat can vary depending on the specific group that acquired or leased the DarkGate malware variant. This could range from ransomware attacks to cryptocurrency mining. Further, researcher's highlight there is a common association of DarkGate used with tooling linked to the Black Basta ransomware group.

Suggested Correction(s):
As long as external messaging remains permissible or the abuse of trusted relationships through compromised accounts goes unaddressed, this initial entry technique can be employed with instant messaging applications. When introducing new applications to an organization, it’s crucial to implement security measures to limit the organization’s attack surface. For IM applications, organizations should exert control by enforcing rules like blocking external domains, regulating attachments, and if feasible implementing scanning. Utilizing multi-factor authentication is strong advised to enhance security, even for instant messaging applications, in case valid credentials are compromised. Also, application allowing listing is an effective defensive strategy that can be applied to endpoints via policies, ensuring that users can only access and execute specific applications.