From July through September, we noticed the DarkGate campaign (detected by Trend Micro as TrojanSpy.AutoIt.DARKGATE.AA) exploiting instant messaging systems to transmit a VBA loader script to victims. This script downloaded and executed a second-stage payload consisting of an AutoIT script containing the DarkGate malware code. It’s unclear how the original accounts of the instant messaging apps were hijacked.
DarkGate has been somewhat inactive in recent years. However, additional campaign deployments have been spotted this year, as reported by Truesec and MalwareBytes. We discovered that the majority of DarkGate attacks were detected in the Americas region, followed by Asia, the Middle East, and Africa.