Recent phishing attacks have exploited Microsoft Teams group chat requests to distribute malicious attachments containing DarkGate malware. The attackers exploited a compromised Teams user or domain to send over 1,000 fraudulent group chat invitations.
Once the recipients accept the chat request, they are manipulated into downloading a file with a double extension, such as ‘Navigating Future Changes October 2023.pdf.msi,’ which is a common technique used by DarkGate. This information is based on research conducted by AT&T Cybersecurity.
Modus Operandi of DarkGate Malware
After being installed, the DarkGate malware establishes communication with its command-and-control server located at hgfdytrywq[.]com. This domain has been identified as part of the DarkGate malware infrastructure by Palo Alto Networks.
This phishing attack was made possible due to Microsoft’s default settings, which allow external Microsoft Teams users to send messages to users in different tenants.
“Unless absolutely necessary for daily business use, disabling External Access in Microsoft Teams is advisable for most companies, as email is generally a more secure and more closely monitored communication channel,” “As always, end users should be trained to pay attention to where unsolicited messages are coming from and should be reminded that phishing can take many forms beyond the typical email.” warned AT&T Cybersecurity network security engineer Peter Boyle.
The popularity of Microsoft Teams, with its vast user base of 280 million monthly users, has made it an attractive target for threat actors. Exploiting this opportunity, DarkGate operators have been using Microsoft Teams to distribute their malware.
They specifically target organizations where administrators have not taken the necessary steps to secure their tenants, such as disabling the External Access setting.
Similar DarkGate Malware Campaigns Used TeamsPhisher Tool to Exploit Vulnerabilities
Similar campaigns were observed in the past, where DarkGate malware was distributed through compromised external Office 365 and Skype accounts. These accounts sent messages containing VBA loader script attachments.
Furthermore, initial access brokers like Storm-0324 have utilized Microsoft Teams for phishing attempts to breach corporate networks. They take advantage of a publicly available tool called TeamsPhisher, which exploits a security vulnerability in Microsoft Teams.
The tool TeamsPhisher bypasses client-side protections that are designed to block file delivery from external tenant accounts, allowing attackers to send malicious payloads.
This security vulnerability was also exploited by APT29, a hacking division of Russia’s Foreign Intelligence Service (SVR). APT29 targeted numerous organizations worldwide, including government agencies, by taking advantage of the same issue.
Recent Surge of DarkGate Malware Attacks
Following coordinated international efforts that effectively dismantled the Qakbot botnet in August, cybercriminals have been shifting their focus towards utilizing the DarkGate malware loader as their primary method for gaining initial access to corporate networks.
It is worth noting that prior to the takedown of the Qakbot botnet, an individual purporting to be the developer of DarkGate made an attempt to sell annual subscriptions for $100,000 on a hacking forum.
The DarkGate malware, according to its developer, boasts an array of capabilities. These include a hidden VNC, tools to evade Windows Defender, a tool for stealing browser history, an integrated reverse proxy, a file manager, and even a Discord token stealer.
Since the developer’s announcement, there has been a noticeable increase in reported DarkGate infections. Cybercriminals have been employing multiple delivery methods, including phishing and malvertising, to distribute the malware.