Researchers have observed threat actors leveraging compromised Skype and Microsoft Teams accounts to target businesses with a known malware called DarkGate.
The global malware campaign, which occurred between July and September, mostly targeted organizations in the Americas region. The attackers used messaging platforms like Skype and Teams to deliver a VBA loader script to victims, which led to the DarkGate malware. Once executed, this malware also downloaded a number of additional payloads on victim systems.
“In the main case discussed, the Skype application was legitimately used to communicate with third-party suppliers, making it easier to penetrate and/or lure the users in accessing the malicious file,” said Trent Bessell, Ryan Maglaque, Aira Marcelo, Jack Walsh and David Walsh, researchers with Trend Micro in an analysis last week. “The recipient was just the initial target to gain a foothold in the environment. The goal is still to penetrate the whole environment, and depending on the threat group that bought or leased the DarkGate variant used, the threats can vary from ransomware to cryptomining.”
Researchers said that it’s unknown how the instant messaging accounts were compromised, but the campaign demonstrates how threat actors can both take advantage of external messaging features in these platforms if they are enabled by organizations, and use them for social engineering attacks that are difficult to detect.
In the attacks involving Skype, for instance, the threat actor would hijack existing chat threads with other contacts and create files with naming conventions that related to the context of these previous conversations. In one incident, the attacker used an account that was an external supplier for the target’s company.
Attackers also relied on Microsoft Teams messages to send malicious links to organizations that had allowed users to receive messages from external users. In one case, the attacker posed as an HR specialist for a company and sent out a Teams message that notified recipients that keys and a bag had been lost at the office, and prompted them to view a purported picture of the lost items. This attack was slightly easier to detect, as Teams clearly labels external senders when they are outside of an organization.
From a threat perspective, the use of DarkGate - a commodity malware that was first documented in 2017 - in these attacks is also notable. Once successfully downloaded, DarkGate has a number of capabilities. The malware can execute commands like directory traversal, implement remote access software (such as RDP and AnyDesk), steal browser data, and perform cryptomining, privilege escalation and keylogging. Like several other malware families, DarkGate also abuses the legitimate AutoIT automation and scripting tool to help deliver these capabilities. The malware has been used in an increasing number of initial entry attacks since it was advertised on a popular underground forum in May 2023. This latest version of the malware appears to have the same infection chain as previous iterations; however, tweaks have been made to the initial stager and the malware’s level of obfuscation.
The use of messaging systems for initial access in campaigns is nothing new, but because this vector continues to work, attackers continue to rely on it. In September, researchers with Microsoft warned that threat actors were delivering lures through Teams in order to target organizations with ransomware. And in August, researchers discovered threat actors posing as security or technical support representatives in Microsoft Teams chats with the aim of compromising targets’ Microsoft 365 accounts.
For security teams, these attacks show the significance of utilizing various security measures when adding any new application to an organization.
“In this case, IM [instant messaging] applications should be controlled by the organization to enforce rules such as blocking external domains, controlling attachments, and, if possible, implementing scanning. Multifactor authentication (MFA) is highly recommended to secure applications (including IM ones) in case of valid credentials’ compromise,” said Trend Micro researchers. “This limits the potential proliferation of threats using these means.”