BIPI
BIPI

DarkGate via Skype: The Malware Abusing Trusted Platforms

Threat Intelligence

DarkGate operators pivoted from email to Skype and Microsoft Teams in 2023, exploiting implicit trust in enterprise messaging platforms to deliver an AutoIT-based loader capable of RDP abuse and credential theft.

By Arjun Raghavan, Security & Systems Lead, BIPI · September 9, 2024 · 9 min read

#darkgate#malware#microsoft-teams#skype#phishing

DarkGate has been advertised on Russian-language cybercrime forums since 2017, but for most of its existence it was a niche tool used by a small number of operators. In mid-2023, its author opened it to a wider affiliate model, and almost immediately researchers observed a significant spike in DarkGate infections sourced from an unexpected vector: direct messages sent via Skype and Microsoft Teams.

Why Messaging Platforms

Email security has matured to the point where most commodity malware attachments are blocked or quarantined before reaching the inbox. Enterprise messaging platforms like Teams and Skype operate under different assumptions. Users are conditioned to expect files and links from colleagues, and platform-level attachment scanning has historically been less aggressive than email gateway inspection. Additionally, messages arriving from a compromised colleague account carry implicit organizational trust that a cold phishing email cannot replicate.

  • Skype vector: attacker compromises a Skype account (often via credential stuffing) and sends malicious .vbs or .zip files to contacts
  • Teams external access vector: attacker creates a tenant impersonating a vendor and uses Teams external access to message targets
  • Teams internal vector (rarer): attacker with existing foothold sends malicious files from a compromised employee account
  • Both vectors bypass email gateway scanning entirely; files traverse messaging platform infrastructure

AutoIT Loader and Execution Chain

The DarkGate payload delivered via Skype and Teams is most commonly a .vbs script or a .zip containing an AutoIT-compiled executable. AutoIT is a legitimate Windows automation scripting language that produces standard PE executables, making it difficult to distinguish from legitimate enterprise tooling by hash or file type alone. The AutoIT script unpacks the DarkGate core DLL from an encrypted resource, decrypts it using a key derived from the system's hardware profile, and injects it into a legitimate host process.

  1. Victim receives file via Skype or Teams from a known or impersonated contact
  2. File is a .vbs script or AutoIT-compiled .exe named to suggest legitimate software
  3. Execution triggers AutoIT runtime (if .au3) or the compiled binary directly
  4. DarkGate core DLL extracted from encrypted resource, injected into svchost.exe or explorer.exe
  5. DarkGate establishes C2 via HTTPS to a hardcoded domain, sends system fingerprint
  6. Operator initiates RDP session tunneled through DarkGate or deploys additional tools
DarkGate's RDP tunneling capability lets operators work interactively on a victim's desktop without opening a firewall port. The tunnel rides the established C2 HTTPS connection, making it invisible to perimeter controls that only inspect north-south traffic.

DarkGate Capabilities

  • Remote desktop access (tunneled over C2 HTTP/S)
  • Credential harvesting: browser-saved passwords, Windows Credential Manager
  • Keylogging and clipboard monitoring
  • Crypto wallet file theft (specific targeting of MetaMask, Exodus, Electrum)
  • Cryptocurrency miner deployment (XMRig, modular via plugin system)
  • Reverse proxy for lateral movement
  • Persistence via scheduled task and HKCU Run key
2017
DarkGate first advertised on cybercrime forums
2023
Shift to Teams/Skype delivery observed by Truesec and Group-IB
$100K/year
Reported DarkGate affiliate subscription price
<10
Active DarkGate affiliates at any given time (exclusive model)

Detection

  • Alert on AutoIT3.exe or compiled AutoIT binaries executing from user-writable paths (Downloads, Temp, AppData)
  • Process: Teams.exe or Skype.exe spawning child processes other than edge.exe/browser processes is anomalous
  • Network: DarkGate C2 uses HTTP with a distinctive URI pattern; community signatures available from Emerging Threats
  • Registry: DarkGate persistence uses HKCU\Software\Microsoft\Windows\CurrentVersion\Run with random key names
  • Hunt for svchost.exe with a parent process other than services.exe

Remediation

  1. Restrict Teams external access to an allowlist of known partner domains
  2. Block .vbs, .vbe, .au3, and .a3x files from being received via Teams and Skype at the platform policy level
  3. Enable Microsoft Defender for Office 365 Safe Attachments for Teams (requires P1/P2 license)
  4. Audit all AutoIT-compiled binaries present on endpoints; block unknown AutoIT executables via AppLocker or WDAC
  5. Review all scheduled tasks and Run keys on any host where Teams or Skype spawned an unexpected child process

Read more field notes, explore our services, or get in touch at info@bipi.in. Privacy Policy · Terms.