Microsoft Teams conversations are being abused by a new phishing attempt to distribute malicious attachments that install the DarkGate Loader malware.
When two external Office 365 accounts were found to be hijacked and were detected sending Microsoft Teams phishing mails to other organisations, the campaign got underway in late August 2023.
These accounts were used as a ruse to get other Microsoft Teams users to download and open a ZIP file called "Changes to the vacation schedule."
When a user clicks on an attachment, a ZIP file from a SharePoint URL that contains an LNK file resembling a PDF document is downloaded.
The script first verifies that Sophos antivirus software is present on the target device; if it isn't, it launches the shellcode and deobfuscates additional code.
The Windows executable for DarkGate is built by the shellcode using a method known as "stacked strings" and loaded into memory.
The malicious attachments are sent to other Teams organisations by the campaign, as observed by Truesec and Deutsche Telekom CERT, using hacked Microsoft Teams accounts.
In a June 2023 report, Jumpsec cited an example of Microsoft Teams phishing. Jumpsec found a means to deliver malicious messages to other organisations via phishing and social engineering, which is comparable to this attack.
Microsoft chose not to address the risk despite the stir this finding created. It is advised that administrators use secure configurations instead, such as narrow-scoped allow-lists and disabling external access, if communication with external tenants is not required.
The chance of this Microsoft Teams phishing attack being utilised in the wild was increased by a tool that a Red Teamer provided in July 2023. The attack chain of the recently observed campaign does not appear to use this strategy, though.
Since its release in 2017, DarkGate has been employed cautiously by a select group of online criminals against specific targets.
hVNC for remote access, cryptocurrency mining, reverse shell, keylogging, clipboard theft, and information theft (files, browser data) are just a few of the harmful behaviours supported by this powerful malware.
According to a ZeroFox report from June 2023, ten people were offered access to DarkGate for the ludicrous price of $100,000 per year by a person claiming to be the original author of the software.
In the following months, there have been numerous reports of DarkGate distribution ramping up and employing a variety of vectors, including phishing and malvertising.
DarkGate is a growing threat that needs to be actively monitored even though it may not yet be a widespread threat due to its increased targeting and use of various infection channels.
