DarkGate恶意软件伪装成PDF文件传播

A piece of malware known as DarkGate has been observed being spread via instant messaging platforms such as Skype and Microsoft Teams.

一种名为DarkGate的恶意软件已被观察到通过即时通讯平台（如Skype和Microsoft Teams）传播。

In these attacks, the messaging apps are used to deliver a Visual Basic for Applications (VBA) loader script that masquerades as a PDF document, which, when opened, triggers the download and execution of an AutoIt script designed to launch the malware.

在这些攻击中，即时通讯应用程序用于传递伪装成PDF文档的Visual Basic for Applications（VBA）加载程序脚本，当打开时，触发下载和执行旨在启动恶意软件的AutoIt脚本。

"It's unclear how the originating accounts of the instant messaging applications were compromised, however it is hypothesized to be either through leaked credentials available through underground forums or the previous compromise of the parent organization," Trend Micro said in a new analysis published Thursday.

“目前尚不清楚即时通讯应用程序的发起账户是如何被入侵的，但有猜测是通过地下论坛上可用的泄漏凭据或母组织之前的受损。”趋势微观在最新的分析中说。

DarkGate, first documented by Fortinet in November 2018, is a commodity malware that incorporates a wide range of features to harvest sensitive data from web browsers, conduct cryptocurrency mining, and allow its operators to remotely control the infected hosts. It also functions as a downloader of additional payloads such as Remcos RAT.

DarkGate首次由Fortinet于2018年11月记录，它是一种通用恶意软件，具有广泛的功能，可以从Web浏览器中收集敏感数据，进行加密货币挖矿，并允许运营者远程控制受感染的主机。它还可以用作下载其他载荷的工具，如Remcos RAT。

Social engineering campaigns distributing the malware have witnessed a surge in recent months, leveraging initial entry tactics such as phishing emails and search engine optimization (SEO) poisoning to entice unwitting users into installing it.

分发该恶意软件的社交工程活动近几个月来已经激增，利用初始入侵策略，如钓鱼邮件和搜索引擎优化（SEO）欺诈，引诱不知情的用户安装它。

The uptick follows the malware author's decision to advertise the malware on underground forums and rent it out on a malware-as-a-service basis to other threat actors after years of using it privately.

在多年的私下使用后，恶意软件作者决定在地下论坛上宣传该恶意软件，并将其出租给其他威胁行为者作为恶意软件服务，这导致攻击激增。

The use of Microsoft Teams chat message as a propagation vector for DarkGate was previously highlighted by Truesec early last month, indicating that it's likely being put to use by several threat actors.

Truesec在上个月早些时候曾提到，将Microsoft Teams聊天消息用作DarkGate的传播载体，这表明它可能被多个威胁行为者使用。

A majority of the attacks have been detected in the Americas, followed closely by Asia, the Middle East, and Africa, per Trend Micro.

大多数攻击发生在美洲，紧随其后的是亚洲、中东和非洲，据趋势微观称。

The overall infection procedure abusing Skype and Teams closely resembles a malspam campaign reported by Telekom Security in late August 2023, save for the change in the initial access route.

滥用Skype和Teams的总体感染过程与2023年8月底Telekom Security报告的一次恶意垃圾邮件活动相似，只是初始访问路径发生了变化。

"The threat actor abused a trusted relationship between the two organizations to deceive the recipient into executing the attached VBA script," Trend Micro researchers Trent Bessell, Ryan Maglaque, Aira Marcelo, Jack Walsh, and David Walsh said.

趋势微观研究人员Trent Bessell、Ryan Maglaque、Aira Marcelo、Jack Walsh和David Walsh表示：“威胁行为者滥用了两个组织之间的信任关系，欺骗接收者执行附加的VBA脚本。”

"Access to the victim's Skype account allowed the actor to hijack an existing messaging thread and craft the naming convention of the files to relate to the context of the chat history."

“访问受害者的Skype帐户使威胁行为者能够劫持现有的消息线程，并构建与聊天历史背景相关的文件命名约定。”

The VBA script serves as a conduit to fetch the legitimate AutoIt application (AutoIt3.exe) and an associated AutoIT script responsible for launching the DarkGate malware.

VBA脚本充当获取合法AutoIt应用程序（AutoIt3.exe）和启动DarkGate恶意软件的相关AutoIT脚本的通道。

An alternate attack sequence involves the attackers sending a Microsoft Teams message containing a ZIP archive attachment bearing an LNK file that, in turn, is designed to run a VBA script to retrieve AutoIt3.exe and the DarkGate artifact.

另一种攻击序列涉及攻击者发送包含ZIP存档附件的Microsoft Teams消息，该附件包含一个LNK文件，该文件又被设计为运行VBA脚本以检索AutoIt3.exe和DarkGate工件。

"Cybercriminals can use these payloads to infect systems with various types of malware, including info stealers, ransomware, malicious and/or abused remote management tools, and cryptocurrency miners," the researchers said.

研究人员表示：“网络犯罪分子可以使用这些载荷来感染各种类型的恶意软件，包括信息窃取器、勒索软件、恶意和/或被滥用的远程管理工具以及加密货币挖矿软件。”

"As long as external messaging is allowed, or abuse of trusted relationships via compromised accounts is unchecked, then this technique for initial entry can be done to and with any instant messaging (IM) apps."

“只要允许外部消息传递，或者未检查通过被入侵的帐户滥用的信任关系，那么这种初始入侵技术可以用于任何即时通讯（IM）应用程序。”

原文始发于微信公众号（知机安全）：DarkGate恶意软件伪装成PDF文件传播