Recent phishing attacks have exploited Microsoft Teams group chat requests to distribute malicious attachments containing DarkGate malware. The attackers exploited a compromised Teams user or domain to send over 1,000 fraudulent group chat invitations.
Once the recipients accept the chat request, they are manipulated into downloading a file with a double extension, such as ‘Navigating Future Changes October 2023.pdf.msi,’ which is a common technique used by DarkGate. This information is based on research conducted by AT&T Cybersecurity.
Modus Operandi of DarkGate Malware
After being installed, the DarkGate malware establishes communication with its command-and-control server located at hgfdytrywq[.]com. This domain has been identified as part of the DarkGate malware infrastructure by Palo Alto Networks. This phishing attack was made possible due to Microsoft’s default settings, which allow external Microsoft Teams users to send messages to users in different tenants.“Unless absolutely necessary for daily business use, disabling External Access in Microsoft Teams is advisable for most companies, as email is generally a more secure and more closely monitored communication channel,” “As always, end users should be trained to pay attention to where unsolicited messages are coming from and should be reminded that phishing can take many forms beyond the typical email.”warned AT&T Cybersecurity network security engineer Peter Boyle.The popularity of Microsoft Teams, with its vast user base of 280 million monthly users, has made it an attractive target for threat actors. Exploiting this opportunity, DarkGate operators have been using Microsoft Teams to distribute their malware. They specifically target organizations where administrators have not taken the necessary steps to secure their tenants, such as disabling the External Access setting.