Bilgesu Erdem
Malware known as DarkGate is leveraging instant messaging apps, including Skype and Microsoft Teams, for malicious delivery. The modus operandi involves the apps disseminating a Visual Basic for Applications (VBA) loader script, deceiving users by appearing as a genuine PDF. Once accessed, the script sets off a chain reaction, eventually launching the DarkGate malware. Disturbingly, the initial compromise of the messaging accounts remains a mystery, although compromised credentials and prior breaches of parent companies are primary suspects. DarkGate, notorious since 2018, possesses capabilities ranging from harvesting browser data to commandeering infected hosts. A noticeable rise in DarkGate’s activities correlates with its advertisement on clandestine platforms and its rental as malware-as-a-service.
AvosLocker’s Expanding Horizons in Critical Infrastructure Assaults
The AvosLocker ransomware gang’s footprint in attacks on US critical infrastructure sectors has escalated, with incidents reported as recent as May 2023. Disclosed by a joint cybersecurity advisory from the U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the FBI, the ransomware-as-a-service (RaaS) operation exhibits a sophisticated mode of operation. By exploiting legitimate software and open-source tools, AvosLocker masks its tracks, making attribution challenging. The ransomware, initially sighted in 2021, displays prowess in evading detection, impacting diverse environments such as Windows, Linux, and VMware ESXi.
Notably, AvosLocker’s approach prioritizes open-source tools and utilizes utilities like FileZilla and Rclone for data transfer. It employs a plethora of tools for diverse tasks, from credential theft with Lazagne and Mimikatz to lateral movement using custom scripts. A novelty in their arsenal is an executable masquerading as a network monitoring tool but acting as a reverse proxy, facilitating external connection for the malefactors.
With ransomware attacks escalating by 2023, the threat landscape is witnessing swift deployment post-initial access. The primary motivator behind this hastened activity is speculated to be the intent of evading detection, as slower operations risk exposure. Simple, rapid strategies are becoming the norm, relegating intricate, enterprise-wide encryption endeavors to the background.
The latest telemetry from Microsoft underscores the gravity of the ransomware menace. Most victims of human-operated ransomware are smaller organizations, with a substantial spike in such attacks reported over the past year. The ransomware landscape has seen a surge in new operators, and despite efforts to curb their proliferation, they continue to thrive.
Mitigations and Preventive Measures
To counter these looming threats, CISA and the FBI advocate a plethora of protective measures. This encompasses adopting application controls, minimizing RDP usage, curtailing PowerShell, employing phishing-resistant multi-factor authentication, and conducting regular offline backups. Microsoft’s telemetry underscores the necessity for a comprehensive security strategy, considering ransomware operators are exploring lesser-known software vulnerabilities, making anticipation and defense more complex.
With cybercriminals constantly evolving and adapting, the challenge for organizations is more pronounced than ever. The brazen audacity of ransomware gangs, combined with the ingenuity of malware like DarkGate, paints a vivid picture of the hurdles the cybersecurity community faces. Staying a step ahead requires vigilant monitoring, continuous adaptation, and an unwavering commitment to safeguarding digital assets.
