DarkGate Archives

Hackers have designed fake Google Meet error pages to distribute info-stealing malware which can compromise all the data on a network.

It feels as though malicious websites are springing up on a daily basis, and with 12.8 million websites infected with malware, this is a fair assumption to make. The latest attack under the Ophtek spotlight centers around Google Meet, a videoconferencing service hosted online by Google. The threat uses fake connectivity errors to lure victims into inadvertently launching the malware on their own system. And with Google Meet having over 300 million active users every month, the chance of this campaign tripping people up is exceptionally high.

The Danger of Fake Google Meet Pages

Google Meet attack appears to be part of a wider hacking campaign known as ClickFix, which has also been identified using similar fake websites impersonating Google Chrome and Facebook. In all these cases, the objective of the campaign is to install info stealers onto infected PCs. Malware used in these attacks include DarkGate and Lumma Stealer.

Fake error messages are displayed in the web browsers of victims to indicate a connectivity issue with a Google Meet call. However, there is no Google Meet call taking place, it’s simply a ruse to deceive victims into following through on a malicious call-to-action. These ‘errors’ recommend copying a ‘fix’ and then running it in Windows PowerShell, an app commonly used to automate processes on a Microsoft system.

Unfortunately, rather than fixing the ‘error’ with Google Meet, the execution of this code within PowerShell simply downloads and installs the malware. Once installed, malware such as DarkGate and Lumma Stealer has the potential to search out sensitive data on your network, establish remote network connections, and transmit stolen data out of your network.

Victims are redirected to these malicious websites via phishing emails, which claim to contain instructions for joining important virtual meetings and webinars. The URLs used within the emails appear like genuine Google Meet links but take advantage of slight differences in the address to deceive recipients.

Protecting Yourself from Fake Google Meet Malware

The best way to stay safe in the face of the fake Google Meet pages (and similar attacks) is by being proactive and educating your staff on the threats of malicious websites. Accordingly, following these best practices gives you the best chance of securing your IT infrastructure:

Double Check URLs: malicious websites often mimic genuine ones to catch people off guard. Therefore, always verify any URL for anything unusual such as misspelled words or lengthened and unusual domain endings, before clicking them. This will minimize your risk of falling victim to phishing and malware attacks.
Use Browser Security Features: many browsers, such as Google Chrome, come with built-in security features which can block sites known to be harmful or detect suspicious downloads. If you have these protections enabled, and this is easily done through your browser settings, you can rest assured you’re putting a strong security measure in place.
Install Antivirus and Firewall Software: one of the simplest way to protect yourself is by installing antivirus and firewall software, which is often available for free in the form of AVG and Kaspersky. This software can not only detect malware, but also block it before it reaches your system, so it can be considered a very strong form of defense.

For more ways to secure and optimize your business technology, contact your local IT profes sionals.

A new threat actor has spent the last few months ramping up attacks involving the DarkGate and NetSupport malware, and this is set to increase further.

The name of this new threat actor is BattleRoyal, and between September and November 2023, they launched numerous attacks. These attacks featured the DarkGate and NetSupport malware, both powerful strains of malware. DarkGate employs multiple malicious activities such as keylogging, data theft, and cryptocurrency mining. Meanwhile, NetSupport – which is a legitimate application – is being exploited and repurposed as a remote access trojan, which gives threat actors unauthorized access to IT systems.

DarkGate and NetSupport both have the potential to cause great damage to your IT infrastructure and the security of your data. This means you need to know how to identify and deal with them.

BattleRoyal’s Malware Campaign

BattleRoyal appears to have launched its first wave of attacks in September 2023. This campaign involved email techniques to unleash the DarkGate malware on unsuspecting victims. At least 20 instances of this attack have been recorded, but it’s highly likely that more users were infected. Perhaps due to the noise that DarkGate was creating, BattleRoyal quickly switched its choice of weaponry to NetSupport in November. As well as using email campaigns to spread NetSupport, BattleRoyal also employed malicious websites and fake updates to infect PC users.

DarkGate is also notable for taking advantage of a vulnerability located in Windows SmartScreen. The main objective of SmartScreen is to protect users from accessing malicious websites. However, BattleRoyal were able to work around this by using a special URL which, due to the vulnerability in SmartScreen, gave users access to a malicious website. Clearly a sophisticated threat actor, BattleRoyal had discovered this vulnerability – logged as CVE-2023-36025 – long before Microsoft acknowledged its existence.

How to Stay Safe from BattleRoyal

Microsoft has since launched a security patch to combat the CVE-2023-36025 vulnerability, and installing this remains the surest way to combat the activity of DarkGate. However, given that BattleRoyal has used a multi-pronged attack, with NetSupport being used to download further malware, you can’t rely on patches alone. Vigilance, as ever, is vital. Therefore, you need to practice these best security tips to prevent any infections:

Beware of phishing emails: one of the most popular ways to breach the defenses of IT infrastructures involves phishing emails. Not only can these emails be used to steal confidential information through social engineering techniques, but they can also be used to direct recipients towards malicious websites and files. Therefore, it’s important that everyone in your organization can identify phishing emails.
Always install updates: although BattleRoyal was able to identify the SmartScreen vulnerability before the availability of a patch, this doesn’t mean you should minimize the importance of updates. All updates should be installed as soon as they’re available, activating automatic updates is the best way to guarantee that your defenses are fully up-to-date.
Use security software: reputable security software is one of the simplest, yet most effective ways to protect your IT systems against malware. Capable of identifying and removing malware before it’s activated, anti-malware tools should be an essential part of your IT defenses. As well as carrying out automatic scans of your system, many of these security suites feature screening tools to warn against malicious websites and emails.

For more ways to secure and optimize your business technology, contact your local IT professionals.

LinkedIn Used to Spread DarkGate Malware

authenticator app, Corsair, DarkGate, Linkedin, malware, malware-as-a-service, Ophtekauthenticator app, Corsair, DarkGate, Linkedin, malware, malware-as-a-service, OphtekOphtek, LLC

Dec 2023

The threat of malware strikes the business world again, and this time it’s using LinkedIn to trick users into downloading the DarkGate malware.

LinkedIn is designed to help professionals connect with each other and build professional relationships. It’s proven to be wildly popular, with 950 million members currently registered on the platform.

But where there are huge numbers of users, there will also be large amounts of data. And this data is like catnip to threat actors. This is why fake LinkedIn posts have started appearing on the platform. These posts, as well as a campaign of direct messages, are far from informative for the users of LinkedIn. Instead, they are being used to trick LinkedIn users, primarily those who hold positions within the social media niche, to download malware.

Unveiling the Essentials of DarkGate on LinkedIn

Security experts have been aware of DarkGate since 2017, but it was considered a low-level threat due to its limited activity in the digital wild. However, this changed in June 2023, when its creator began selling it as Malware-as-a-Service package. Since then, a campaign using DarkGate has been launched by threat actors, believed to be working in Vietnam, which targets LinkedIn users.

Mostly, these users have consisted of social media managers operating in the US, the UK, and India. Using LinkedIn posts, or sending direct messages to targets, the threat actors propose that a job offer at Corsair is on the table. LinkedIn is a highly popular recruitment tool, so there’s nothing out of the ordinary with these initial contacts. However, the targets are encouraged into downloading malicious documents, such as a Word document containing a job description and a text file discussing salary details.

Within these documents are malicious links. Once clicked, these links lead to a series of scripts being launched which are used to build DarkGate. The malware’s first move is to start uninstalling security tools located on the infected system. DarkGate’s next step is to begin harvesting data from the compromised system. In particular, DarkGate appears to be targeting login credentials for Facebook business accounts, hence the focus on social media managers.

Protecting Your Credentials from DarkGate

If you’re a social media manager and regularly log on to LinkedIn, the advice is simple: stay away from any links relating to job offers for Corsair. Unfortunately, the threat actors are likely to change the details of their attack now that it’s started generating headlines. Nonetheless, you can still do the following to protect your credentials:

Never click unsolicited links: it’s important to be vigilant against unsolicited links, especially when they’re found in unsolicited direct messages. If you do receive direct messages, or even emails, containing unsolicited links, it’s best to delete them and block the sender.
Install all updates: clicking a malicious link can help threat actors exploit vulnerabilities within your PC, so you need to minimize the number of vulnerabilities which are present. The best way to achieve this is by always installing updates when prompted or making sure that automatic updates are activated.

Use an authenticator app: both LinkedIn and Facebook allow you to use an authenticator app to provide a further layer of security to your credentials. Most commonly, the sites in question will require you, after entering your login credentials, to enter a unique code generated by the app. This means that, if your login credentials are compromised, they will be next to useless to threat actors.

For more ways to secure and optimize your business technology, contact your local IT professionals.

Fake Google Meet Pages Used to Spread Malware

DarkGate and NetSupport Malware is Surging

LinkedIn Used to Spread DarkGate Malware

Tag Archives: DarkGate