A new social engineering campaign has leveraged Microsoft Teams as a way to facilitate the deployment of a known malware called DarkGate.
“An attacker used social engineering via a Microsoft Teams call to impersonate a user’s client and gain remote access to their system,” Trend Micro researchers Catherine Loveria, Jovit Samaniego, and Gabriel Nicoleta said.
“The attacker failed to install a Microsoft Remote Support application but successfully instructed the victim to download AnyDesk, a tool commonly used for remote access.”
As recently documented by cybersecurity firm Rapid7, the attack involved bombarding a target’s email inbox with “thousands of emails,” after which the threat actors approached them via Microsoft Teams by masquerading as an employee of an external supplier.
The attacker then went on to instruct the victim to install AnyDesk on their system, with the remote access subsequently abused to deliver multiple payloads, including a credential stealer and the DarkGate malware.
Actively used in the wild since 2018, DarkGate is a remote access trojan (RAT) that has since evolved into a malware-as-a-service (MaaS) offering with a tightly controlled number of customers. Among its varied capabilities are conducting credential theft, keylogging, screen capturing, audio recording, and remote desktop.
An analysis of various DarkGate campaigns over the past year shows that it’s known to be distributed via two different attack chains that employ AutoIt and AutoHotKey scripts. In the incident examined by Trend Micro, the malware was deployed via an AutoIt script.
Although the attack was blocked before any data exfiltration activities could take place, the findings are a sign of how threat actors are using a diverse set of initial access routes for malware propagation.
Organizations are recommended to enable multi-factor authentication (MFA), allowlist approved remote access tools, block unverified applications, and thoroughly vet third-party technical support providers to eliminate the vishing risk.
The development comes amid a surge in different phishing campaigns that have leveraged various lures and tricks to dupe victims into parting with their data –
Threat actors are also known to swiftly capitalize on global events to their advantage by incorporating them into their phishing campaigns, often preying on urgency and emotional reactions to manipulate victims and persuade them to do unintended actions. These efforts are also complemented by domain registrations with event-specific keywords.
“High-profile global events, including sporting championships and product launches, attract cybercriminals seeking to exploit public interest,” Palo Alto Networks Unit 42 said. “These criminals register deceptive domains mimicking official websites to sell counterfeit merchandise and offer fraudulent services.”
“By monitoring key metrics like domain registrations, textual patterns, DNS anomalies and change request trends, security teams can identify and mitigate threats early.”
