Hacked Skype accounts are being used to spread malware

BigTunaOnline / Shutterstock.com (Image credit: BigTunaOnline / Shutterstock.com)

Hackers are reportedly abusing compromised Skype accounts in an attempt to distribute the DarkGate malware.

In a new report, Trend Micro researchers claimed multiple Skype accounts had been  compromised and then used to share a VBA loader script attachment. The script’s file name was modified in such a way to have victims believe it’s a .PDF file, even though it was a .VBS one. 

Downloading and running the script downloads a second-stage AutoIT payload which contains the malicious DarkGate malware code.

Targeting Teams, too

"Access to the victim's Skype account allowed the actor to hijack an existing messaging thread and craft the naming convention of the files to relate to the context of the chat history," Trend Micro said, further adding that it wasn’t sure how the Skype accounts were compromised to begin with.

"It's unclear how the originating accounts of the instant messaging applications were compromised, however is hypothesized to be either through leaked credentials available through underground forums or the previous compromise of the parent organization."

Besides Skype, the hackers also tried the same with Microsoft Teams, the company’s other instant messaging and online collaboration platform. In this case, they targeted organizations whose Teams configurations allowed messages coming in from external users. 

DarkGate is a malware-as-a-service (MaaS), with a wide variety of features such as a concealed VNC, capabilities to bypass Windows Defender, a browser history theft tool, an integrated reverse proxy, a file manager, and a Discord token stealer. Ever since law enforcement agencies took down Quakbot this summer, there has been an uptick in the use of DarkGate, the researchers added. 

The malware was first reported in 2018, as using legitimate AutoIT files and mostly running multiple AutoIT scripts. According to Malpedia, a new version was released in May this year, and advertised on a Russian dark web forum.

Via BleepingComputer

More from TechRadar Pro

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.