Microsoft Teams used to spread burgeoning DarkGate malware

Researchers have seen a spike in the distribution of DarkGate, a sophisticated malware most recently spread through a phishing campaign using compromised Microsoft Teams accounts.

Although DarkGate’s history dates back to late 2017, it was relatively unknown until the middle of this year when distribution of an enhanced version of the malware was observed through email phishing and malvertising campaigns.

The burgeoning activity has been linked to an attempt by the malware’s developer to expand their affiliate network, offering DarkGate as part of a ransomware-as-a-service for $100,000 a year.

In a Sept. 6 blog post, Trusec senior cybersecurity consultant Jakob Nordenlund said his firm’s incident response team observed compromised Microsoft 365 accounts sending Teams chat messages with links to malicious files as part of a phishing campaign with a DarkGate loader as the payload.

Targets were prompted to open a ZIP file purportedly containing a changed staff vacation schedule for their organization. The ZIP file contained a malicious LNK (shortcut) file disguised as a PDF document. If clicked on, it ultimately resulted in DarkGate malware being executed on the target system.

In his post, Nordenlund said the external chat messages were only detected because the recipients had security awareness training.

“Unfortunately, current Microsoft Teams security features such as Safe Attachments or Safe Links was not able to detect or block this attack,” he said.

“Right now, the only way to prevent this attack vector within Microsoft Teams is to only allow Microsoft Teams chat requests from specific external domains, albeit it might have business implications since all trusted external domains need to be whitelisted by an IT administrator.”

A similar issue was raised in June by Jumsec researchers who pointed out the potential risk of threat actors being able to send Teams messages from one Microsoft “tenancy” (corporate environment) to another. But Microsoft said inter-tenancy Teams messaging was a feature, not a bug and, like Nordenlund, pointed out its customers could block or restrict incoming external messages.

Touting for business, dark web style

Last month, threat analyst 0xToxin and Deutsche Telekom Security analyst Fabian Marquardt both posted about new email phishing campaign with DarkGate as the payload, while Malwarebytes director of threat intelligence Jérôme Segura outlined a DarkGate malvertising campaign.

Two months earlier, ZeroFox circulated a dark web forum post by a threat actor calling themselves “RastaFarEye” who appeared to be the developer of DarkGate.

The poster said they had spent over 20,000 hours since 2017 developing the malware which they described as “the ultimate tool for pentesters/redteamers.”

The threat actor said they were offering DarkGate to a small number of new affiliates and had “4/10 slots available.” The non-negotiable price to use the malware was $1000 for a day, $15,000 for a month, or $100,000 for a year.

“We have added the option of buying a package for one day so that you can check the quality of the product and get an impression,” the post read.

While it is possible the recent spike in attacks may be linked to threat actors responding to RastaFarEye’s bid to hire out DarkGate as a ransomware-as-a-service offering, it is not known whether any threat actors have taken up the offer to become affiliates for $100,000 a year asking price.