DarkGate malware attacks, observed from July to September, have been spreading through compromised Skype accounts.
Security researchers from Trend Micro discovered these attacks, which involve messages containing VBA loader script attachments.
The VBA script downloads a second-stage AutoIT script responsible for executing the final DarkGate malware payload.
The attackers gained access to victims’ Skype accounts, hijacking existing messaging threads and aligning file names with chat context.
While the origin of the compromised instant messaging accounts is unclear, it is suggested that leaked credentials from underground forums or previous compromises of parent organizations could be potential sources.
DarkGate operators have also tried to distribute their malware through Microsoft Teams, targeting organizations with configurations allowing external messages.
Cybercriminals have increasingly adopted DarkGate for initial access into corporate networks, especially since the disruption of the Qakbot botnet.
The malware-as-a-service operation has grown in prominence, indicating cybercriminals’ persistence and adaptability in their attack strategies.
DarkGate malware is transmitted via hacked Skype accounts
