In a concerning new development, a phishing campaign has been detected spreading the notorious DarkGate malware through innovative techniques designed to evade security filters. According to researchers at Cisco Talos, the malware’s covert spreading strategies, information-stealing capabilities, evasion tactics, and widespread impact are making it a significant threat to both individuals and organizations.
Table of Contents
A New Phishing Campaign
The latest campaign involves malicious Excel documents attached to phishing emails. These emails are crated in a way to urge recipients to review the attached documents immediately, often under the guise of financial or official matters. The urgency and seeming legitimacy of these emails make them highly effective at compelling recipients to open the attachments.
“The DarkGate malware family is distinguished by its covert spreading techniques, ability to steal information, evasion strategies, and widespread impact on both individuals and organizations” the researchers explain.
Infection Process
The infection process begins the moment the malicious Excel document is opened. These documents are not just ordinary files; they are specially crafted to employ a technique known as “Remote Template Injection.” This tactic triggers the automatic download and execution of malicious content hosted on a remote server, allowing the malware to infiltrate the system.
Cisco Talos researchers explain that Remote Template Injection is a lesser-known technique that leverages Excel’s legitimate functionality, wherein templates can be imported from external sources to enhance a document’s features. By exploiting this feature, attackers can bypass traditional security measures that might not scrutinize document templates as rigorously as executable files.
“Remote Template Injection is an attack technique that exploits a legitimate Excel functionality wherein templates can be imported from external sources to expand a document’s functions and features,” Cisco Talos says.
“By exploiting the inherent trust users place in document files, this method skilfully evades security protocols that may not be as stringent for document templates compared to executable files. It represents a refined tactic for attackers to establish a presence within a system, sidestepping the need for conventional executable malware.”
Continuous Evolution of DarkGate
DarkGate malware has continuously evolved, adopting new strategies to remain undetected. Previously observed distributing through Microsoft Teams and malvertising campaigns, the latest shift to using AutoHotKey scripting over AutoIT demonstrates the malware authors’ commitment to refining their methods and altering the infection chain.
Implications and Mitigation
The use of Remote Template Injection is particularly concerning because it takes advantage of the inherent trust users place in document files. This method skillfully evades many security protocols that are not as stringent for document templates compared to executable files. By doing so, attackers can establish a presence within a system without needing to deploy conventional executable malware.
To mitigate the risk posed by this new phishing campaign, organizations and individuals must adopt robust email security measures and educate users about the dangers of opening unsolicited attachments, even if they appear to come from trusted sources. Implementing advanced threat detection systems that can identify and block suspicious document activities, and keeping software and security protocols up to date, are also crucial steps in defending against such sophisticated malware threats.
Defending Against DarkGate Malware
This is a rather sophisticated attack vector that is best approached with a multi-layer security policy. As a premier Managed IT Service Provider we suggest the following strategy:
First, you should subscribe to an email filtering solution. We’re huge fans of Barracuda Email Protection. Their filtering system handles millions of emails a day, so it doesn’t take long for a new phishing campaign to catch their attention. And it is constantly being updated during the subscription term, so you can expect new filters to be deployed ASAP. Barracuda also offers a fantastic solution for backing up your Microsoft 365 data, so you should strongly consider bundling both solutions.
Second, it’s important that your users be trained in spotting and avoiding phishing attacks. Security Awareness Training is critical to side stepping any kind of cyberattack that slips through the cracks of any managed security solution.
Cisco Talos has the story.
