Fraud Management & Cybercrime , Social Engineering

DarkGate Malware Operators on a Phishing Spree

Vectors Includes Teams Phishing and Malvertising
DarkGate Malware Operators on a Phishing Spree
Nothing good comes from opening DarkGate. (Image: Shutterstock)

Advertising on Russian-language criminal forums is paying off for the author of the DarkGate malware as reflected by a spike in infections, including an unusual phishing campaign on Microsoft Teams to deliver the loader through HR-themed social engineering chat messages.

See Also: Code Red: How KnowBe4 Exposed a North Korean IT Infiltration

Cyber defenders first spotted the DarkGate commodity loader in 2018. Researchers from Deutsche Telekom in late August said the commodity loader's coder this summer began renting out the malware to a limited number of affiliates. "Before that, the malware was only used privately by the developer," the researchers said to explain the intensified email spamming campaign to lure victims into downloading DarkGate.

In June 2023, ZeroFox reported that someone claiming to be the original author of DarkGate had promoted access of the malware to just 10 people for an annual price of $100,000.

Researchers from TrueSec now said they've spotted threat actors abusing compromised Office 365 accounts to send phishing messages containing a DarkGate Loader malware on Microsoft Teams to an unnamed organization. The bait was a link to a SharePoint-hosted file named "Changes to the vacation schedule.zip." Microsoft Teams security features such as Safe Attachments and Safe Links did not detect or block the malicious attack, said TrueSec.

Researches from Kaspersky said DarkGate's capabilities include hidden VNC, Windows Defender exclusion, browser history stealing, reverse proxy, file management, and Discord token stealing. The features "go beyond typical downloader functionality," they wrote.

Malwarebytes in late August uncovered an additional vector of DarkGate infection: malvertising. Bad actors behind the dropper bought ads on the Google search engine. Victims who clicked on the advertising saw a fake webpage masquerading as a popular network scanning tool offering a download containing the legitimate app "but also some extra files," i.e., DarkGate.


About the Author

Mihir Bagwe

Mihir Bagwe

Principal Correspondent, Global News Desk, ISMG

Bagwe previously worked at CISO magazine, reporting the latest cybersecurity news and trends and interviewing cybersecurity subject matter experts.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.com, you agree to our use of cookies.