Summary:
DarkGate Loader offered as Malware-as-a-Service, has surged in malspam campaigns adopting Microsoft Teams for distribution via HR-themed chat messages. By utilizing Microsoft Purview's eDiscovery tool, the senders behind these Teams messages were unmasked as "Akkaravit Tattamanas" and "ABNER DAVID RIVERA ROJAS." Researchers confirmed that these accounts were compromised and traded on the Dark Web. AADInternal's OSINT tool enabled further investigation into the related O365 tenant and associated domains. Both senders shared an identical message containing a link to an externally hosted file, "Changes to the vacation schedule.zip," hosted on their SharePoint sites. This link led victims to the SharePoint sites for downloading the seemingly innocuous file, which Microsoft Defender later flagged as malware, specifically "BAT/Tisifi.A#."
The campaign's ultimate payload was the subject of scrutiny, beginning with the discovery of a malicious LNK file within the ZIP archive, masquerading as a PDF document named "Changes to the vacation schedule.pdf.lnk." Analysis of this LNK file using Eric Zimmerman’s “LECmd.exe” revealed the command it would execute upon opening. This command initiated the download and execution of a file from a malicious URL. Autoit3.exe and the bundled script eszexz.au3 were downloaded and executed. The AutoIT script concealed its code within the file by identifying the magic bytes. Following execution, AutoIT deposited a file with shellcode, first checking for the presence of Sophos antivirus. If Sophos was absent, additional code within the AutoIT script deobfuscated to launch the shellcode. This shellcode, loaded "byte by byte," created a new file with initial bytes indicating a Windows executable. The payload was subsequently extracted from memory and examined using PE Studio, identified as DarkGateLoader.
Further insights were gleaned from researchers, which guided the use of their config extractor on the AutoIT script "eszexz.au3" to extract DarkGate malware's configuration. The evolving tactics of DarkGate Loader underscore the importance of vigilant cybersecurity measures to detect and thwart such sophisticated threats. Collaboration and information sharing within the cybersecurity community are crucial in staying ahead of malicious actors and protecting against evolving malware-as-a-service campaigns.
Threat Profile:
References:
The following reports contain further technical details: