Attack Targets Microsoft Teams Users

A new phishing campaign targeting Microsoft Teams users with messages to deliver a payload of DarkGate Loader malware is making its rounds.

BleepingComputer recently reported on the cyber threat.

This sophisticated attack serves as a reminder of the ever-evolving landscape of cybersecurity threats and the need for constant vigilance to stay aware of the latest threat themes.

Let’s take a look at how this attack finds its targets, its implications, and what you can do to protect yourself and our organization.

The Anatomy of the Attack

Compromised external Office 365 accounts started sending phishy Microsoft Teams messages to other organizations. These messages enticed recipients to download and open a seemingly innocuous ZIP file named "Changes to the vacation schedule."

Beneath the veil lurks a perilous trap. Clicking on the attachment initiates the download of the ZIP file from a SharePoint URL, containing an LNK file cleverly disguised as a PDF document. An unsuspecting victim didn’t realize this LNK file held malicious VBScript setting off a chain reaction leading to the DarkGate Loader's deployment.

To avoid detection, cyberattackers employed Windows cURL for fetching executable malware and script files. The script itself arrived pre-compiled, camouflaging malicious code within the file and employing a distinctive "magic bytes" technique associated with AutoIT scripts.

Before continuing, the script performed a critical check: it verified the presence of Sophos antivirus software on the target machine. If absent, it deobfuscated additional code and launched shellcode. This shellcode, utilizing a technique known as "stacked strings," constructed the DarkGate Windows executable and loaded it into memory.

The Utilization of Compromised Microsoft Teams Accounts

Leveraging compromised Microsoft Teams accounts to disseminate malicious attachments to other Teams organizations is a well-crafted ploy and one we’ve seen before. This technique bears similarities to an earlier cyberattack back in June 2023 reported by Jumpsec, which exposed the potential for sending malicious messages to other organizations through phishing and social engineering.

Despite this attack theme being revealed and identified publicly a few months back, Microsoft has yet to address this vulnerability fully. Instead, MS recommends adopting safe configurations, such as narrow-scoped allow-lists and disabling external access if communication with external tenants is unnecessary. The non-technical version is “block out the bad!”

It is worth noting a Red Teamer released a tool in July 2023 streamlining the Microsoft Teams phishing attack, further increasing the exploitation risk.

The DarkGate Dilemma

DarkGate Loader malware has been in circulation since 2017 and is primarily utilized by a select group of cybercriminals for highly targeted cyberattacks. This malware is exceptionally potent, supporting a wide range of cybercrime, including remote access via hVNC, cryptocurrency mining, reverse shell, keylogging, clipboard theft, and of course pilfering of information, including files and browser data.

Since June 2023, an individual claiming to be the original author of DarkGate attempted to sell access to the malware for an exorbitant fee of $100,000 per year (ZeroFox). This revelation sparked concerns, and subsequently, there have been numerous reports of DarkGate's distribution intensifying through various channels, especially via phishing and malvertising.

While DarkGate may not yet pose a widespread threat, it is expanding. The adoption of multiple infection avenues makes it an emerging threat demanding close monitoring in addition to educating IT and cybersecurity teams to remain aware of its power.

The Bottom Line

The most recent Microsoft Teams phishing attack utilizing DarkGate Loader malware focuses on employees utilizing compromised accounts to spread the attack to other MS users.

By simply staying aware and informed of the threat themes circling the web, you can position your organization to be ready to spot and stop these cyberattack attempts before they wreak havoc within your systems.

Remember, in the realm of cybersecurity, awareness and proactive training measures are our best weapons against dark forces, like DarkGate, of the digital world.