“The DarkGate malware was developed in 2017 and traded as MaaS (Malware-as-a-Service). The campaign has made headlines recently after being discovered in chat groups on Microsoft Teams, which has 280 million users per month. While the DarkGate Loader was originally distributed via phishing emails, last year attackers evolved their attack methodology and started to exploit several cloud services for distribution. This is not the first time it’s been active in Microsoft Teams – in August last year DarkGate used Teams to deliver its payload (which was hosted on a Microsoft SharePoint site).
The important thing to note is that this latest development is completely in line with the wider trend of threat actors using cloud applications at multiple points within the kill chain of their attack. Cloud applications enable a flexible malicious payload, and a flexible cloud infrastructure to deliver it. 46% of malware was delivered from the cloud in December 2023, so it is no surprise that threat actors constantly seek out an increasingly complex attack chain where multiple legitimate services are chained with the sole purpose to lure the victims to download the malicious payload, and to evade the legacy web (and email) security technologies that are not instance-aware, not suited to inspect SSL traffic at scale, and hence blind to the context.
Organisations must ensure cloud security is at the top of their list for tactical security priorities for 2024, because attackers are going to continue to take advantage of any security gaps.”
Paolo Passeri, Cyber Intelligence Specialist at Netskope