In the last month, the Netskope Threat Labs team noticed a big increase in malware being spread through SharePoint. This happened because some cyber attackers used Microsoft Teams and SharePoint to trick people into downloading the malware, called DarkGate.
DarkGate is a malware that was first found in 2018. It has been used in many attacks recently.
People like using DarkGate because it can do a lot of harmful things like taking control of a computer, recording what you type, stealing information, and even downloading more bad software. DarkGate can also be used to start even bigger attacks, like locking up your files and asking for money to unlock them.
Recently, Netskope found a new version of DarkGate being spread using a special file called MSI. They used a method similar to something called Cobalt Strike Beacon to make it work.
Let’s take a closer look at how MSI will infect your system
The infection process begins with a deceptive email that pretends to be an invoice. This email carries a PDF document, which, when opened, reveals a template resembling a DocuSign document. This is designed to trick the user into thinking they need to review a document.
When the user clicks on the document, it triggers the execution of an MSI file. This sets off a series of steps that load various elements, all contained within another file known as a CAB file, which is stored inside the MSI.
Additionally, Trend Micro has noted that the DarkGate operators have attempted to distribute their malware through Microsoft Teams in organizations that allow messages from external users.
In the past, Truesec and MalwareBytes have identified phishing campaigns in Teams that utilize harmful VBScript to deploy the DarkGate malware.
Despite its age, DarkGate remains a prominent threat, exhibiting heightened activity in recent times. The DarkGate malware loader has witnessed a substantial surge in cybercriminal interest, becoming a favoured tool for gaining initial access to corporate networks. This uptick in usage garnered attention, especially after the successful disruption of the Qakbot botnet in August, underscoring the impact of international collaborative efforts.
In the lead-up to the dismantling of the Qakbot botnet, an individual claiming to be DarkGate's developer sought to peddle subscriptions on a hacking forum, floating the possibility of an annual fee as high as $100,000.
Various campaigns have employed diverse delivery and loading techniques, accompanied by the introduction of new malware functionalities. This demands vigilant efforts from the security community. Netskope Threat Labs is committed to monitoring the evolution of DarkGate malware and its Tactics, Techniques, and Procedures (TTPs).
