Rewterz Threat Alert – DarkGate Operator Utilizing Skype and Teams Messages to Distribute Malware – Active IOCs

Severity

High

Analysis Summary

During July and September, malicious activity regarding DarkGate malware has increased as threat actors used compromised Skype accounts to spread the malware using messages with attachments containing VBA loader scripts.

The researchers who discovered the attacks state that this script downloads a second-stage AutoIT script that is made to drop and execute the final payload of DarkGate malware. They have also noticed the threat actors attempting to push the malware payload through Microsoft Teams.

“Access to the victim’s Skype account allowed the actor to hijack an existing messaging thread and craft the naming convention of the files to relate to the context of the chat history” the researchers said.

They also noted that the method of compromise for the original accounts of the instant messaging applications remains unclear, but it is speculated to have occurred either through leaked credentials available on underground forums or as a result of a prior breach of the parent organization.

The phishing campaigns using Teams mainly target organizations that have the service configured to allow messages from external users. They use malicious VBScript to deploy the malware. The Teams users were targeted using compromised Office 365 accounts from outside their organizations and the threat actors also used a publicly available tool called TeamsPhisher. This tool helps the attackers in bypassing security restrictions for incoming files from external tenants and easily send phishing attachments to the targeted users.

“The goal is still to penetrate the whole environment, and depending on the threat group that bought or leased the DarkGate variant used, the threats can vary from ransomware to cryptomining,” said the cybersecurity experts.

They also stated that, based on their telemetry data, DarkGate has been observed to frequently trigger the detection of tools commonly linked to the Black Basta ransomware group.

The usage of DarkGate malware has been increasing significantly as more cybercriminals adopt it for initial access into corporate networks. This rising trend has been observed mainly after the infamous Qakbot botnet was dismantled in August.

The recent rise in DarkGate activity highlights the ever-increasing influence of this malware-as-a-service within the cyber landscape. The threat actors seem determined to continue their malicious activity and are open to adapt their tactics and methods despite challenges and disruptions.

The security firm suggests that organizations should establish guidelines for the use of instant messaging applications like Skype and Teams. These guidelines should encompass measures such as blocking external domains, regulating attachment usage, and, if feasible, implementing scanning measures. Additionally, the adoption of multifactor authentication is deemed essential to thwart threat actors from exploiting illegally acquired credentials to compromise IM accounts.

Impact

• Sensitive Data Theft
• Cryptocurrency Theft

Indicators of Compromise

Domain Name

• msteamseyeappstore.com
• drkgatevservicceoffice.net
• reactervnamnat.com
• coocooncookiedpo.com
• wmnwserviceadsmark.com
• onlysportsfitnessam.com
• marketisportsstumi.win

IP

• 5.188.87.58

MD5

• b4fd44e63cbdcfdb6e3b9b797a28d550
• a7f92838289792ecd48b669c3bb9174b
• a2ede3645e5fd1a69bb22dfda230f43c
• 7769b0dcb515be6a7c5ea76fc26c7cc5
• c139513317ef0ffed5d08404ad6eea32
• 62cc8460c1ee5fc149fd33a0144a0418
• d1ff5f9319008d5f88bffba1d0336b15
• e346a1723f320690d40ec58e902c0367
• 6aaac3b6d0f0c941a770b0c3a0982cd5
• 6b747047b434c5bac00bb7a38a18f9dc
• 6c703199b68c0b5f7eada45cba75ecb1
• 2d4dc0c4d38a5c22112d2c1897b1fb74
• 742dceba84373f3522407e3fb29131c6
• 627135375accdb410a41845271ae6de9
• f2f1d325bb3ad9707fec6d662824b5d3
• 2cbef9f6a0319ec629176384edb2568d
• 8ae13d24653b39d4252f63239f55fd84
• 21b2018cac6dcad0cb0bb03621ce0ab6
• 6ab2a8192b4789b37bf75b0e94d24b63
• 745276e405933d191babb7a28cd20a42
• 8cceee6df7cdd1b9326f0fc38da6b3a0
• 8ec13f2f9dae22f4766106fd9050ef0a
• f774ab2051330bd5580a3d48a382e8b2

SHA-256

• af85ace1fd89e4c76efdda065cc2fc44de987bfd75f9f6850610327526c97d4b
• a4d510086d38235777525d6b9a12c48f2949e8db975bf002b49dbd3d7291d23c
• ce580754d21094c5c1e0ad7a6775de099bb4607dac68566ec330d4ffa7175a91
• e3de74adc844b6757bf344fc8785e37e31d452722ee8473bcdde59434e6081f5
• 9e3e7e78347eb088d980175e3fdb11bfaee2a0c5eed2a63c67e7cea1c8cb5b6a
• 0c4c9cdd8666d2abe9fb164e8248d9fc6d200312ecd6609a5bb92cb55fe1895c
• c0534a54c47c6678d61d184e7586532492540ca1445cfa6c015cd11db0fb220b
• 567b4d6396f4afded1435732c53d75661743ee3874a06503b85e6fc3ada306e8
• c27d195fc108ded422e5d820d1d35fb4365be6a727d98e2bb21b416110059e75
• 25f2796c26f2e63c7e730d3a00422947ff1648c681b1ae6a8d6f78268482bb59
• 9684306c9455e7f54fccdd18e6631d4f9d490bc17283f4189ca8a475bb28ceb8
• 35a2e0dddc7c881d3bd4935cbc971cd40ff9a7f74f88ca3c29f968e698e1d124
• e3685bae93303d1fd375f01f300f05a5afd0e50accc75d87ffad6ba5bfcd4975
• 9a046c6319c8c586c577f8754ce16570a23849acae600fd03bd552aa256546e9
• 74d94eb055228ca7f9ec187d2cffd4ba4acd19627f5b8cb6e7b498d0209b2451
• b1ad0fa862d75152f5c8faa7be32a3db020e4299c1b41777d36b8ba2b4b51e72
• 1bbbdfba95038196e56755ae6c09fba4fb3d224a9082a0c3bc1191c01174d674
• 51352a550da2304a5bfd53ea0c8b12f36c1d36c6a06f1b4db955d4ccf2c80425
• dc6aa6ad03f1143df2142e3a78b2789db1b3c6b0c8efc0a413a2495f20bedcea
• 1cd0f22fb09e11d3565bff222b468581724c09642dda5b4e6619df871f0138bd
• 17a5748ebfadb68975b0350a3d42656ce596582282f59d51d1c3ec722283659a
• 4d16a8c53aa578f2447def0cc1660f381824e37e15acef80b085385823536c34
• 1bd1d8537de0c8cb5014684ca9b3abb15fba95ed4fe02810a6356b927d4c0108

SHA-1

• 4ed69ed4282f5641b5425a9fca4374a17aecb160
• a85664a8b304904e7cd1c407d012d3575eeb2354
• 924b60bd15df000296fc2b9f179df9635ae5bfed
• cec7429d24c306ba5ae8344be831770dfe680da4
• d9a2ae9f5cffba0d969ef8edbbf59dc50586df00
• 381bf78b64fcdf4e21e6e927edd924ba01fdf03d
• 9253eed158079b5323d6f030e925d35d47756c10
• 0e7b5d0797c369dd1185612f92991f41b1a7bfa2
• e47086abe1346c40f58d58343367fd72165ddecd
• 93cb5837a145d688982b95fab297ebdb9f3016bc
• f7b9569a536514e70b6640d74268121162326065
• d40c7afee0dd9877bbe894bc9f357b50e002b7e2
• 1f550b3b5f739b74cc5fd1659d63b4a22d53a3fc
• 3229a36f803346c513dbb5d6fe911d4cb2f4dab1
• 6585e15d53501c7f713010a0621b99e9097064ff
• 001e4eacb4dd47fa9f49ff20b5a83d3542ad6ba2
• ad1667eaf03d3989e5044faa83f6bb95a023e269
• a3516b2bb5c60b23b4b41f64e32d57b5b4c33574
• e6347dfdaf3f1e26d55fc0ed3ebf09b8e8d60b3f
• 3cbbdfc83c4ef05c0f5c37c99467958051f4a0e1
• f3a740ea4e04d970c37d82617f05b0f209f72789
• e6e4c7c2c2c8e370a0ec6ddb5d998c150dcb9f10
• 45a89d03016695ad87304a0dfd04648e8dfeac8f

URL

• http://corialopolova.com/vHdLtiAzZYCsHszzP118.bin

Remediation

• Block all threat indicators at your respective controls.
• Search for Indicators of compromise (IOCs) in your environment utilizing your respective security controls
• Ensure that all systems, software, and applications are up-to-date with the latest security patches. Regularly check for and apply updates to eliminate known vulnerabilities that attackers could exploit.
• Educate employees about phishing emails, social engineering tactics, and safe online behavior. Effective training can reduce the likelihood of users inadvertently initiating an attack.
• Regularly back up critical data and systems to offline or isolated storage. Test the backup restoration process to ensure that it is effective in case of an attack.
• Deploy strong endpoint protection solutions that include advanced threat detection, behavior monitoring, and real-time protection against malware and ransomware.
• Employ robust email filtering and anti-phishing solutions to detect and prevent malicious attachments and links from reaching user inboxes.
• Conduct regular penetration testing and security assessments to identify vulnerabilities and weaknesses in your network and systems. Address any findings promptly.
• Thoroughly assess third-party vendors and software before integrating them into your environment. Ensure they have strong security practices and adhere to cybersecurity standards.