New DarkGate malware campaign hits businesses via Microsoft Teams

Get technical details on how this new attack campaign is delivered through Microsoft Teams and how to protect your business from this upload malware.

A new report from global cybersecurity firm Truesec reveals a new attack campaign exploiting Microsoft Teams to infect enterprise users. Although the attacker’s motivation remains unknown, this DarkGate loader malware could allow its author to seek financial gain or cyber espionage.

Jump to:

What is DarkGate malware?

DarkGate is a loading malware written in Delphi; the goal is to allow other malware to be downloaded and executed once it runs on an infected computer. The additional malware is downloaded directly into memory on 32- and 64-bit architectures, making it harder to detect because it does not reside on the file system.

Other mechanisms implemented in the malware make its analysis more difficult:

• Anti-VM: The malware tests known hardware/ids used in virtual machines.
• Anti-sandboxes: The malware looks for known credentials used by the sandbox software.
• Anti-virus : Several antivirus products are in demand.
• Anti-debugging: The malware often looks for a debugger attached to the process.
• Disk space and memory checks: The malware can be configured to run only with a minimum disk/memory size.

Depending on the results of all these checks, the malware may change its behavior and possibly stop working.

DarkGate has persistence features that can be enabled in its configuration. In this case, it stores a copy of itself on the hard drive and creates a registry key to run on reboot.

Although DarkGate is primarily a third-party malware loader, it still has some built-in functionality.

• Collecting information: DarkGate is able to query the system for information about the currently logged in user, running software, processes and more, which it sends to the C2 server. It can also collect files from the system and send them to the C2 server, as well as take screenshots.
• Credential theft: DarkGate is capable of stealing passwords and cookies from browsers, email software and other software such as Discord or FileZilla. To achieve this goal, the malware uses several legitimate free tools from the popular NirSoft website.
• Cryptomining capabilities: DarkGate is capable of starting, stopping and configuring a cryptominer.
• Remote Access Tool Capabilities: DarkGate can initiate a virtual network connection and execute commands.

How a new attack spreads DarkGate loader via Microsoft Teams

The attack consists of messages sent to Microsoft Teams by a malicious actor who used two compromised Teams accounts for sale on the Dark Web. These accounts were used to send social engineering content to convince users to download and open a malicious archive file (Figure A).

Figure A

Once the zip file is opened, it shows the user a malicious LNK (shortcut) file masquerading as a PDF document (Figure B).

Figure B

After clicking on the LNK file, it runs a command line that triggers AutoIT to download and run via a VBScript file. A precompiled AutoIT script is also downloaded and run through the AutoIT software.

In this attack campaign, the AutoIT script checks for the presence of Sophos antivirus; other campaigns might look for other antivirus solutions. If antivirus is not installed, the script downloads shellcode which in turn downloads a file, byte by byte, using the stacked string technique in an attempt to remain undetected. This final payload is the Dark Door charger malware.

DarkGate’s business model

The DarkGate loader was announced in June 2023 by its developer RastaFarEye (Figure C), as shown in report from the German company Telekom Security.

Figure C

The threat actor limited the malware-as-a-service to just 10 affiliates at a monthly price of $15,000, or $100,000 for a full year.

RastaFarEye also provided a video showing the malware generator and control panel (Figure D).

Figure D

DarkGate’s capabilities make it a tool of choice for cybercriminals interested in financial fraud or threat actors interested in conducting cyberespionage campaigns.

In addition to developing the DarkGate loader, RastaFarEye announced no more malware developed by itself, including on Mac operating systems. The cybercriminal also offered Extended Validation certificate creation services.

How to protect yourself against the threat of DarkGate malware

In this attack campaign, the threat actor sent messages via Microsoft Teams to organizations using it. It is therefore strongly discouraged to allow Microsoft Teams chat requests from external domains not belonging to the organization; only whitelisted external domains should be allowed to send chat requests.

Other attack campaigns that delivered the DarkGate loader used emails to try to trick the target into opening a malicious file. It is therefore also advisable to deploy security solutions that analyze URLs contained in emails in addition to attached files.

All operating systems and software should be up to date and patched to avoid being compromised by common vulnerabilities.

Multi-factor authentication should be deployed wherever possible, so that even a malicious actor in possession of valid credentials still cannot gain access to the enterprise environment.