DarkGate Opens Organizations for Attack via Skype, Teams

Conclusion and recommendations

In this case study, the attack was detected and contained before the actor could achieve their objectives. However, we’ve noted that given the attacker’s previous pivot to advertising and leasing DarkGate, the objectives of the attacker might vary, depending on the affiliates involved. Cybercriminals can use these payloads to infect systems with various types of malware, including info stealers, ransomware, malicious and/or abused remote management tools, and cryptocurrency miners.

In the main case discussed, the Skype application was legitimately used to communicate with third-party suppliers,making it easier to penetrate and/or lure the users in accessing the malicious file. The recipient was just the initial target to gain a foothold in the environment. The goal is still to penetrate the whole environment, and depending on the threat group that bought or leased the DarkGate variant used, the threats can vary from ransomware to cryptomining. From our telemetry, we have seen DarkGate leading to tooling being detected commonly associated with the Black Basta ransomware group.

As long as external messaging is allowed, or abuse of trusted relationships via compromised accounts is unchecked, then this technique for initial entry can be done to and with any instant messaging (IM) apps. The introduction of any new application to an organization should be accompanied by measures for securing and limiting that organization’s attack surface. In this case, IM applications should be controlled by the organization to enforce rules such as blocking external domains, controlling attachments, and, if possible, implementing scanning. Multifactor authentication (MFA) is highly recommended to secure applications (including IM ones) in case of valid credentials’ compromise. This limits the potential proliferation of threats using these means.

Application allowlisting is a good defense mechanism to deploy to hosts through policies and ensures that end users can only access and execute certain applications. In this instance, the AutoIt application is rarely required to be resident or run on end-user machines.

Although the arrival vector of the threat is nothing new, it shows that cybersecurity should start as left of attacks and infection routines as possible. Regardless of rank, organizations should regularly conduct and implement informative methods to continuously raise user security awareness among employees during training.  More importantly, the aim is to empower people to recognize and protect themselves against the latest threats. Hijacked threads, either via email or instant message, rely on the recipient believing that the sender is who they say they are and therefore can be trusted.  Empowering users to question this trust and to remain vigilant can therefore be an important factor in raising security awareness and confidence.

This case highlights the importance of in-depth, 24/7 monitoring, defense, and detection via Trend Micro™ Managed XDR, included in Trend Service One™,as the responsiveness of our security analysts to detect and contain threats from progressing to high severity compromise plays an important role in shifting tactics, techniques, and procedures (TTPs). Organizations should also consider Trend Vision One™, which offers the ability to detect and respond to threats across multiple security layers. It can isolate endpoints, often the source of infection, until they are fully cleaned, or until the investigation is done.the investigation is done.

For Trend Vision One customers, here are some of the Vision One search queries for DarkGate:

  • processFilePath:wscript.exe AND objectFilePath:cmd.exe AND objectCmd:(au3 OR autoit3.exe OR curl) AND eventSubId: 2

“cmd.exe” spawns “curl.exe”, which will retrieve the legitimate AutoIt application and the associated malicious .au3 (.au3 representing a AutoIt Version 3 script file). From the query eventSubId: “2” indicates TELEMETRY_PROCESS_CREATE

  • parentFilePath:cmd.exe AND processFilePath:curl.exe AND processCmd:*http* AND objectFilePath:*vbs AND eventSubId:101

Check for any VBScript download via curl. From the query, “eventSubId: 101” indicates TELEMETRY_FILE_CREATE

Indicators of Compromise (IOCs)

Download the indicators here.