Microsoft Teams Phishing Pushes DarkGate Malware Via Group Chats


AT&T’s cybersecurity research team has uncovered a new wave of phishing attacks that abuse Microsoft Teams group chat requests to distribute malicious attachments designed to infect targeted systems with DarkGate malware. In total, attackers have used what seems to be a compromised team user (or domain) to send over 1,000 malicious group chat invites to unsuspecting users. Individuals who accept the request are further tricked into downloading a malicious file that is appended with two extensions (’.pdf.msi.’), which once executed will reach out to a C2 server to retrieve DarkGate.

Security Officer Comments:
Microsoft Teams has approximately 280 million monthly users making it a popular platform for actors to distribute payloads like DarkGate. The use of a double extension in the latest campaign is an effort to trick users into thinking they are simply downloading a PDF file when in reality, an MSI file is executed after user interaction.

With the distribution of the Qakbot botnet in August of last year, malware like DarkGate has gained attraction within the cybercriminal community, as it comes with various capabilities such as the ability to bypass Windows Defender, steal data from browsers as well as tokens from platforms like Discord. While previous DarkGate infections involved sending messages via external Office 365 and Skype accounts, the use of teams in the latest campaign showcases that actors are looking for alternative vectors to effectively compromise more victims.

Suggested Corrections:
Organizations should focus on training their employees on how to detect and avoid different phishing lures employed by threat actors. Holding regular tabletop exercises can help enhance overall employee awareness and deter potential threats before impact.