DarkGate Malware Spreading via Messaging Services Posing as PDF Files

The DarkGate malware is making its rounds through messaging services like Skype and Microsoft Teams, disguising itself as innocuous PDF files. In these attacks, a Visual Basic for Applications (VBA) loader script, camouflaged as a PDF document, is delivered via messaging apps. Once opened, it triggers the download and execution of an AutoIt script, launching the DarkGate malware.

The origin of the compromised instant messaging accounts remains unclear, but hypotheses point to leaked credentials available on underground forums or a potential compromise of the parent organisation. DarkGate, initially documented by Fortinet in November 2018, is a versatile malware with features ranging from data harvesting to cryptocurrency mining and remote control.

Recent social engineering campaigns distributing DarkGate have seen a surge, utilising tactics like phishing emails and search engine optimization (SEO) poisoning. Microsoft Teams chat messages are now a propagation vector, indicating a broader use by various threat actors. Most attacks have been detected in the Americas, followed closely by Asia, the Middle East, and Africa.

The attackers cleverly leverage trusted relationships between organisations, deceiving recipients into executing attached VBA scripts. The VBA script acts as a conduit to fetch legitimate applications, leading to the launch of DarkGate. Cybercriminals utilising this method can infect systems with various types of malware, emphasising the need for vigilance in messaging app security.

Risks and Recommendations Summary:

Risks:

• Compromised Credentials: The unclear origin of compromised messaging accounts suggests potential risks from leaked credentials on underground forums.
• Social Engineering Surge: The surge in social engineering campaigns, employing phishing and SEO tactics, poses a significant risk to unsuspecting users.
• Geographical Impact: The majority of detected attacks in the Americas, Asia, the Middle East, and Africa indicate a global impact.

Recommendations:

• Enhanced Credential Security: Strengthening credential security and adopting multi-factor authentication can mitigate the risk of compromised accounts.
• User Awareness Training: Educate users about the dangers of social engineering tactics, emphasising cautious behaviour when interacting with messaging apps.
• Global Vigilance: Implement global threat monitoring and response strategies to address the widespread geographical impact.

Microsoft Defender Thwarts Large-Scale Akira Ransomware Attack

Microsoft revealed that its user containment feature in Microsoft Defender for Endpoint successfully thwarted a "large-scale remote encryption attempt" by Akira ransomware actors targeting an industrial organisation in early June 2023. The threat intelligence team at Microsoft is actively tracking the operator identified as Storm-1567.

The attack strategy involved leveraging devices not onboarded to Microsoft Defender for Endpoint, a tactic aimed at evading defence measures. The attackers conducted reconnaissance and lateral movement activities before encrypting devices using a compromised user account. The automatic attack disruption capability, however, prevented breached accounts from accessing endpoints and other network resources.

In essence, this feature aims to sever all inbound and outbound communication, restricting human-operated attacks from moving laterally within the network. Microsoft also reported the disruption of lateral movement attempts against a medical research lab in August 2023, where attackers reset the password for a default domain administrator account.

"Highest privileged user accounts are arguably the most important assets for attackers," states Microsoft. "Identifying and containing these compromised user accounts prevents attacks from progressing, even if attackers gain initial access."

Risks and Recommendations Summary:

Risks:

• Unprotected Devices: Attacks exploiting devices not onboarded to Microsoft Defender pose a significant risk to organisations.
• Compromised User Accounts: The use of compromised user accounts for lateral movement underscores the importance of securing privileged accounts.

Recommendations:

• Comprehensive Onboarding: Ensure all devices are onboarded to Microsoft Defender for Endpoint to eliminate vulnerabilities from unprotected devices.
• Privileged Account Management: Implement robust privileged account management to detect and contain compromised accounts swiftly.

Robinhood Users Beware: Hackers Exploit Accounts in Cash-Out Scams

Hackers are actively targeting users of Robinhood, the popular online brokerage platform, with the intention of pilfering customer funds. A review conducted by 404 Media on criminal forums and Telegram groups has revealed the extent of illicit activities surrounding these attacks.

Hackers are advertising compromised Robinhood accounts for sale, showcasing a criminal ecosystem involving various players offering specialised services. This ranges from acquiring email addresses and passwords to developers creating tools to intercept multi-factor authentication codes. Messages on fraud-focused Telegram groups reveal a sinister intent, with phrases like "Send me all yo Robinhoods. Instant cashout" and "cashing all Robin Hoods rn" being common.

Some fraudsters are selling "FA" (full access) Robinhood accounts for as little as $2 or $3, claiming access to over a hundred such accounts. These accounts may have been obtained through techniques like using configuration files to exploit reused passwords. The exploitation of the Robinhood feature that allows cryptocurrency trading makes these accounts particularly attractive targets.

Criminal communities are offering services to cash out compromised accounts, with some fraudsters charging a cut of 15 to 50 percent depending on the account balance. These actors are equipped with sophisticated tools, including one-time password bots that can circumvent Robinhood's security measures.

This situation raises significant concerns about the security of online financial accounts, targeting unsuspecting consumers. It underscores the importance of robust cybersecurity practices for both individuals and platforms like Robinhood.

Risks and Recommendations Summary:

Risks:

• Compromised Account Availability: The open sale of compromised Robinhood accounts suggests a widespread risk of account compromise.
• Cryptocurrency Exploitation: The targeting of accounts with cryptocurrency trading features poses a specific risk to users.

Recommendations:

• Password Security: Emphasise the importance of strong, unique passwords and discourage the reuse of passwords across multiple accounts.
• Multi-Factor Authentication: Encourage users to enable multi-factor authentication to add an additional layer of security to their accounts.
• Platform Vigilance: Platforms like Robinhood should enhance monitoring and response mechanisms to detect and prevent such fraudulent activities.