Microsoft Teams phishing attack pushes DarkGate malware

Trending 5 months ago


A caller phishing run is abusing Microsoft Teams messages to nonstop malicious attachments that instal nan DarkGate Loader malware.

The run started successful precocious August 2023, erstwhile Microsoft Teams phishing messages were seen being sent by 2 compromised outer Office 365 accounts to different organizations.

These accounts were utilized to instrumentality different Microsoft Teams users into downloading and opening a ZIP record named "Changes to nan picnic schedule."

Phishing connection sent to targetsPhishing connection sent to targets (Truesec)

Clicking connected nan attachment triggers nan download of nan ZIP from a SharePoint URL and contains a LNK record masquerading arsenic a PDF document.

Researchers at Truesec analyzed nan Microsoft Teams phishing run and recovered that it contains malicious VBScript that triggers nan infection concatenation that leads to a payload identified arsenic nan DarkGate Loader.

To effort and evade detection, nan download process utilizes Windows cURL to fetch nan malware's executable and book files.

The book arrived pre-compiled, hiding its malicious codification successful nan mediate of nan file, opening pinch distinguishable "magic bytes" associated pinch AutoIT scripts.

Magicbytes conception successful nan malicious sciptMagicbytes conception successful nan malicious script (Truesec)

Before proceeding further, nan book checks if nan Sophos antivirus package is installed connected nan targeted machine, and if it's not, it deobfuscates further codification and launches nan shellcode.

The shellcode uses a method called "stacked strings" to conception nan DarkGate Windows executable and load it successful memory.

Payload detailsPayload details (Truesec)

Microsoft Teams phishing

The run seen by Truesec and Deutsche Telekom CERT utilizes compromised Microsoft Teams accounts to nonstop nan malicious attachments to different Teams organizations.

Microsoft Teams phishing was antecedently demonstrated successful a June 2023 report by Jumpsec, who discovered a measurement to nonstop malicious messages to different organizations done phishing and societal engineering, which is akin to what we spot successful nan reported attack.

Despite nan operation caused by this discovery, Microsoft decided not to reside nan risk. Instead, recommending that admins use safe configurations for illustration narrow-scoped allow-lists and disable outer entree if connection pinch outer tenants isn't needed.

A instrumentality that a Red Teamer released successful July 2023 streamlined this Microsoft Teams phishing attack, further expanding nan likelihood of it being abused successful nan wild. 

However, there's nary denotation that this method is progressive successful nan onslaught concatenation of nan precocious observed campaign.

DarkGate opens up

DarkGate has been circulating since 2017, seeing constricted usage by a mini circle of cybercriminals who utilized it against very circumstantial targets.

It is simply a potent malware that supports a wide scope of malicious activities, including hVNC for distant access, cryptocurrency mining, reverse shell, keylogging, clipboard stealing, and accusation stealing (files, browser data).

In June 2023, ZeroFox reported that personification claiming to beryllium nan original writer of DarkGate attempted to waste entree to nan malware to 10 group for nan absurd costs of $100k/year.

Forum station astir DarkGateForum station astir DarkGate (ZeroFox)

In nan pursuing months, location person been aggregate reports of DarkGate distribution ramping up and utilizing various channels, including phishing and malvertising.

While DarkGate whitethorn not beryllium a wide threat yet, its expanding targeting and take of aggregate infection avenues make it an emerging threat to show closely.