Microsoft Teams Phishing Attack Pushes Darkgate Malware

Cyber Security Threat Summary:
A recent phishing scheme has exploited Microsoft Teams messages as a means to distribute harmful attachments that deploy the DarkGate Loader malware. This campaign commenced in late August 2023, as phishing messages originating from two compromised external Office 365 accounts were observed, targeting various organizations. These accounts were employed to deceive Microsoft Teams users into downloading and launching a ZIP file titled "Alterations to the holiday calendar." Upon clicking the attachment, it initiates the download of the ZIP file from a SharePoint URL, concealing an LNK file disguised as a PDF document within. Truesec researchers conducted an analysis of the Microsoft Teams phishing campaign and uncovered a malevolent VBScript within it, initiating a sequence of events that ultimately results in the deployment of the DarkGate Loader payload.

“To try and evade detection, the download process utilizes Windows cURL to fetch the malware's executable and script files.The script arrived pre-compiled, hiding its malicious code in the middle of the file, beginning with distinguishable "magic bytes" associated with AutoIT scripts. Before proceeding further, the script checks if the Sophos antivirus software is installed on the targeted machine, and if it's not, it deobfuscates additional code and launches the shellcode.The shellcode uses a technique called "stacked strings" to construct the DarkGate Windows executable and load it in memory” (BleepingComputer, 2023).

The recent campaign, noted by Truesec and Deutsche Telekom CERT, involves compromised Microsoft Teams accounts sending harmful attachments to other Teams organizations, echoing a method revealed in a June 2023 report by Jumpsec. Despite concerns, Microsoft recommended secure configurations but didn't directly address the issue. In July 2023, a Red Teamer released a tool to simplify this attack, although it's unclear if it's connected to the current campaign.

Security Officer Comments:
DarkGate, in circulation since 2017, has primarily been employed by a select group of cybercriminals, typically against specific targets. This potent malware boasts a wide range of malicious capabilities, such as hVNC for remote access, cryptocurrency mining, reverse shell, keylogging, clipboard theft, and data exfiltration (including files and browser data). In June 2023, ZeroFox reported that an individual claiming to be the original DarkGate author attempted to sell access to the malware to ten buyers for an exorbitant $100k/year. Subsequently, there have been numerous reports of DarkGate's increased distribution through various means like phishing and malvertising. While DarkGate hasn't become a widespread menace, its expanding target base and utilization of multiple infection methods make it an emerging threat worthy of close monitoring.

Suggested Correction(s):
Users should always be cautious of individuals or organizations that ask for personal information. Most companies will not ask for sensitive data from its customers. If in doubt, users should verify with the company itself to avoid any potential issues.

Users should always take a close look at the sender’s display name when checking the legitimacy of an email. Most companies use a single domain for their URLs and emails, so a message that originates from a different domain is a red flag.

As a general rule, users should not click links or download files even if they come from seemingly “trustworthy” sources.

Check for mismatched URLs. While an embedded URL might seem perfectly valid, hovering above it might show a different web address. In fact, users should avoid clicking links in emails unless they are certain that it is a legitimate link.

Users should always be on the lookout for any grammatical errors and spelling mistakes. Legitimate companies will often employ proofreaders and editors who ensure that the materials they send out are error-free.

Users should not be frightened or intimidated by messages that have an alarmist tone. They should double check with the company if they are uncertain about the status of their accounts. Phishing emails are designed to be sent to a large number of people, so they need to be as impersonal as possible. Users should check whether the message contains a generic subject and greeting, as this can be a sign of a phishing attempt.

Although not every end user has access to advanced anti-phishing software, they can still use the built-in protection of their email clients to filter messages. One example is setting the email client to block all images unless approved.

Legitimate companies will never send confirmation emails unless there are specific reasons for doing so. In fact, most companies will avoid sending unsolicited messages unless it’s for company updates, newsletters, or advertising purposes.

Users should always take the context of an email or message into account. For example, most online accounts do away with viewable member numbers, so users should be wary if they receive emails containing a “member number” for services that generally don’t use them.

It is important to take note of unusual information in the text of the message. Any mentions of operating systems and software that are not typically used by consumers can often be indicators of a phishing attempt. If it seems suspicious, it probably is. Users should always err on the side of caution when it comes to sending out personally identifiable information through messages and emails.