New DarkGate Malware Campaign Hits Companies Via Microsoft Teams

Get technical details about how this new attack campaign is delivered via Microsoft Teams and how to protect your company from this loader malware.

A computer screen with program code warning of a detected malware script program.
Image: James Thew/Adobe Stock

A new report from global cybersecurity company Truesec reveals a new attack campaign leveraging Microsoft Teams to infect companies’ users. While the motivation of the attacker remains unknown, this DarkGate loader malware could allow its perpetrator to go for financial gain or cyberespionage.

Jump to:

What is the DarkGate malware?

DarkGate is a loader malware written in Delphi; the goal is to enable the download and execution of other malware once it runs on an infected computer. The additional malware is downloaded directly in the memory on 32- and 64-bits architectures, which makes it harder to detect because it doesn’t reside on the file system.

Other mechanisms implemented in the malware makes it more difficult to analyze:

  • Anti-VM: The malware tests for known hardware/identifiers used in virtual machines.
  • Anti-Sandboxes: The malware checks for known identifiers used by sandbox software.
  • Anti-AntiVirus: Several antivirus products are being looked for.
  • Anti-debug: The malware often checks for a debugger attached to the process.
  • Disk space and memory checks: The malware can be set to only run with a minimum disk/memory size.

Depending on the results of all these checks, the malware might alter its behavior and possibly stop running.

DarkGate has persistence capabilities that can be enabled in its configuration. In that case, it stores a copy of itself on the hard drive and creates a registry key to be executed at reboot times.

Although DarkGate is mostly a loader for third-parties’ malware, it still has built-in capabilities.

  • Information gathering: DarkGate is able to query the system to get information about the currently logged-in user, running software, processes and more, which it sends to the C2 server. It can also collect files from the system and send it to the C2 server, as well as do screen captures.
  • Credentials theft: DarkGate is able to steal passwords and cookies from browsers, email software and other software such as Discord or FileZilla. To achieve that goal, the malware uses…