Analysis Summary

Microsoft Teams has been used in a recent social engineering campaign to help spread the infamous malware known as DarkGate. Through a Microsoft Teams call, an attacker exploited social engineering to pose as a user's client and obtain remote access to their device.

The attacker successfully directed the victim to download AnyDesk, a frequently used remote access program but was unable to install a Microsoft Remote Support application. The attack entailed flooding a target's email inbox with thousands of emails, as previously reported by researchers. The threat actors then used Microsoft Teams to approach the victim by posing as an employee of an outside supplier.

After giving the victim instructions to install AnyDesk on their computer, the attacker exploited the remote access to send other payloads, such as the DarkGate malware and a credential stealer. DarkGate is a remote access trojan (RAT) that has been in use in the wild since 2018. It has now developed into a malware-as-a-service (MaaS) product with a strictly regulated client base. Credential theft, keylogging, screen capture, audio recording, and remote desktop are just a few of its many features.

Two distinct attack chains that use AutoIt and AutoHotKey scripts are known to be used to disseminate DarkGate, according to an examination of numerous campaigns over the previous 12 months. An AutoIt script was used to distribute the malware in the incident that researchers looked into. Although the attempt was stopped before any data exfiltration could occur, the results show that threat actors are spreading malware through a variety of initial entry points. To reduce the vishing risk, organizations should prohibit unconfirmed apps, allowlist authorized remote access tools, implement multi-factor authentication (MFA), and carefully screen third-party technical assistance providers.

The development coincides with an increase in phishing attempts that have used a variety of gimmicks and lures to deceive victims into giving over their personal information. Threat actors are also known to quickly take advantage of world events by integrating them into their phishing efforts. They frequently use emotional responses and a sense of urgency to deceive victims and get them to perform unexpected behaviors. Additionally, domain registrations with event-specific keywords support these campaigns.

High-profile international events, such as product launches and athletic championships, draw cybercriminals looking to take advantage of public excitement. They create false domains that seem like genuine websites to offer fraudulent services and sell fake goods. Security teams may detect and eliminate risks early by keeping an eye on important indicators including domain registrations, textual patterns, DNS abnormalities, and change request trends.

Impact

• Unauthorized Access
• Identity Theft
• Credential Theft
• Keylogging

Indicators of Compromise

IP

• 179.60.149.194

MD5

• 28a5b7b44a0d1f67d125d5b768bc6398

SHA-256

• bb56354cdb241de0051b7bcc7e68099e19cc2f26256af66fad69e3d2bc8a8922

SHA1

• f26b962d6fa77dd96a50709c33fbe68025926158

URL

• http://179.60.149.194:8080/fdgjsdmt

Remediation

• Block all threat indicators at your respective controls.
• Search for indicators of compromise (IOCs) in your environment utilizing your respective security controls.
• Never trust or open links and attachments received from unknown sources/senders.
• Implement multi-factor authentication to add an extra layer of security to login processes.
• Regularly monitor network activity for any unusual behavior, as this may indicate that a cyberattack is underway.
• Organizations need to stay vigilant and follow best practices for cybersecurity to protect their systems and data from potential threats. This includes regularly updating software and implementing strong access controls and monitoring tools.
• Develop a comprehensive incident response plan to respond effectively in case of a security breach or data leakage.
• Maintain regular backups of critical data and systems to ensure data recovery in case of a security incident.
• Adhere to security best practices, including the principle of least privilege, and ensure that users and applications have only the necessary permissions.
• Establish a robust patch management process to ensure that security patches are evaluated, tested, and applied promptly.
• Conduct security audits and assessments to evaluate the overall security posture of your systems and networks.
• Implement network segmentation to contain and isolate potential threats to limit their impact on critical systems.