A new social engineering campaign has leveraged Microsoft Teams as a way to facilitate the deployment of a known malware called DarkGate.
“An attacker used social engineering via a Microsoft Teams call to impersonate a user’s client and gain remote access to their system,” Trend Micro researchers Catherine Loveria, Jovit Samaniego, and Gabriel Nicoleta said.
“The attacker failed to install a Microsoft Remote Support application but successfully instructed the victim to download AnyDesk, a tool commonly used for remote access.”
As recently documented by cybersecurity firm Rapid7, the attack involved bombarding a target’s email inbox with “thousands of emails,” after which the threat actors approached them via Microsoft Teams by masquerading as an employee of an external supplier.
The attacker then went on to instruct the victim to install AnyDesk on their system, with the remote access subsequently abused to deliver multiple payloads, including a credential stealer and the DarkGate malware.
Actively used in the wild since 2018, DarkGate is a remote access trojan (RAT) that has since evolved into a malware-as-a-service (MaaS) offering with a tightly controlled number of customers. Among its varied capabilities are conducting credential theft, keylogging, screen capturing, audio recording, and remote desktop.
An analysis of various DarkGate campaigns over the past year shows that it’s known to be distributed via two different attack chains that employ AutoIt and AutoHotKey scripts. In the incident examined by Trend Micro, the malware was deployed via an AutoIt script.
Although the attack was blocked before any data exfiltration activities could take place, the findings are a sign of how threat actors are using a diverse set of initial access routes for malware propagation.
Organizations are recommended to enable multi-factor authentication (MFA), allowlist approved remote access tools, block unverified applications, and thoroughly vet third-party technical support providers to eliminate the vishing risk.
The development comes amid a surge in different phishing campaigns that have leveraged various lures and tricks to dupe victims into parting with their data –
- A large-scale YouTube-oriented campaign in which bad actors impersonate popular brands and approach content creators via email for potential promotions, partnership proposals, and marketing collaborations, and urge them to click on a link to sign an agreement, ultimately leading to the deployment of Lumma Stealer. The email addresses from YouTube channels are extracted by means of a parser.
- A quishing campaign that makes use of phishing emails bearing a PDF attachment containing a QR code attachment, which, when scanned, directs users to a fake Microsoft 365 login page for credential harvesting.
- Phishing attacks take advantage of the trust associated with Cloudflare Pages and Workers to set up fake sites that mimic Microsoft 365 login pages and bogus CAPTCHA verification checks to supposedly review or download a document.
- Phishing attacks that use HTML email attachments that are disguised as legitimate documents like invoices or HR policies but contain embedded JavaScript code to execute malicious actions such as redirecting users to phishing sites, harvesting credentials, and deceiving users into running arbitrary commands under the pretext of fixing an error (i.e., ClickFix).
- Email phishing campaigns that leverage trusted platforms like Docusign, Adobe InDesign, and Google Accelerated Mobile Pages (AMP) to get users to click on malicious links that are designed to harvest their credentials.
- Phishing attempts that claim to be from Okta’s support team in a bid to gain access to users’ credentials and breach the organization’s systems.
- Phishing messages targeting Indian users that are distributed via WhatsApp and instruct the recipients to install a malicious bank or utility app for Android devices that are capable of stealing financial information.
Threat actors are also known to swiftly capitalize on global events to their advantage by incorporating them into their phishing campaigns, often preying on urgency and emotional reactions to manipulate victims and persuade them to do unintended actions. These efforts are also complemented by domain registrations with event-specific keywords.
“High-profile global events, including sporting championships and product launches, attract cybercriminals seeking to exploit public interest,” Palo Alto Networks Unit 42 said. “These criminals register deceptive domains mimicking official websites to sell counterfeit merchandise and offer fraudulent services.”
“By monitoring key metrics like domain registrations, textual patterns, DNS anomalies and change request trends, security teams can identify and mitigate threats early.”
