DarkGate Malware Exploits Microsoft Teams: A New Social Engineering Threat

December 23, 2024 | Cybersecurity
By Daksh Dhruva, 63SATS

Cybercriminals are leveraging Microsoft Teams in a sophisticated social engineering campaign to spread the DarkGate malware.

Researchers at Trend Micro revealed that attackers impersonated a client during a Teams call, convincing the victim to grant remote access to their system. While an attempt to install Microsoft Remote Support failed, they successfully tricked the victim into downloading AnyDesk, a popular remote access tool, to deliver malware.

How the Attack Unfolded

According to Rapid7, the campaign began with a barrage of emails targeting the victim, followed by attackers posing as external supplier employees via Teams. Under this guise, they guided the victim into installing AnyDesk. This access was then used to deploy multiple malicious payloads, including a credential stealer and DarkGate malware.

The Evolution of DarkGate

DarkGate, active since 2018, has evolved into a malware-as-a-service (MaaS) platform with restricted client access. Its advanced features include credential theft, keylogging, screen capture, audio recording, and remote desktop access. Recent attack patterns show DarkGate being delivered via AutoIt and AutoHotKey scripts. In this case, an AutoIt script was used, but the attack was intercepted before data exfiltration occurred.

Mitigation Strategies

To combat such threats, organizations should:

  • Enable multi-factor authentication (MFA).
  • Allowlist trusted remote access tools.
  • Block unverified applications.
  • Rigorously vet third-party technical support providers.
  • Emerging Phishing Trends

This attack highlights the broader rise of phishing tactics, including:

YouTube Scams: Impersonating brands to lure creators with fake promotions, deploying Lumma Stealer malware via malicious links.

QR Code Phishing: Embedding malicious QR codes in emails to harvest credentials.

Cloudflare Abuse: Using fraudulent login pages hosted on Cloudflare Pages.

HTML Attachments: Disguising malicious files as invoices or policies to redirect users to phishing sites.

Trusted Platform Exploits: Misusing platforms like DocuSign or Google AMP for malicious purposes.

Okta Impersonation: Pretending to be Okta support to steal credentials.

WhatsApp Scams: Targeting Indian users with fake banking apps to steal financial data.

Global Events: A Cybercriminal’s Playground

Attackers often exploit major events to amplify their phishing campaigns, using deceptive domains and counterfeit promotions to lure victims. “High-profile events like product launches or tournaments are prime targets for cybercriminals,” noted Palo Alto Networks Unit 42. Monitoring domain registrations and anomalies is key to early detection.

By adopting proactive cybersecurity measures and maintaining vigilance, organizations can fortify their defenses against the evolving landscape of phishing and malware threats.

(Original Story Source: Hacker News)