A new social engineering company has used Microsoft Teams as a way to facilitate the deployment of a known malware called DarkGate.
“An attacker used social engineering via a Microsoft Teams challenge to impersonate a user’s client and gain remote access to their system,” Trend Micro researchers Catherine Laveria, Jovit Samaniego and Gabriel Nicoletta said.
“The attacker failed to install the Microsoft Remote Support application, but successfully instructed the victim to download AnyDesk, a tool commonly used for remote access.”
How recently documented By cybersecurity firm Rapid7, the attack involved bombarding a target’s inbox with “thousands of emails,” after which the threat actors contacted them via Microsoft Teams, posing as an employee of an external vendor.
The attacker then instructed the victim to install AnyDesk on their system, after which the remote access was used to deliver several payloads, including a credential stealer and DarkGate malware.
Active in the wild since 2018, DarkGate is a remote access trojan (RAT) that has since evolved into a malware-as-a-service (MaaS) offering with a strictly controlled number of clients. Among its various capabilities are credential theft, keylogging, screen capture, audio recording, and remote desktop.
Analysis of various DarkGate campaigns over the past year shows that it is known to spread through two different attack chains that use the AutoIt and AutoHotKey scripts. In the incident investigated by Trend Micro, the malware was deployed via an AutoIt script.
Although the attack was blocked before any data extortion activity could occur, these findings suggest that threat actors are using a diverse set of initial access routes to distribute malware.
Organizations are encouraged to enable multi-factor authentication (MFA), whitelist approved remote access tools, block unverified applications, and thoroughly vet third-party technical support providers to eliminate the risk of phishing.
The development comes amid a surge in various phishing campaigns that use various lures and tricks to trick victims into parting with their data –
- Large-scale A company focused on YouTube in which bad actors impersonate popular brands and email content creators for potential promotions, partnership offers, and marketing collaborations and encourage them to click on a link to sign an agreement, ultimately leading to the deployment of Lumma Stealer. Email addresses from YouTube channels are extracted using a parser.
- A liquidation company that uses phishing emails with PDF attachment containing a QR code an attachment that, when scanned, directs users to a fake Microsoft 365 login page to collect credentials.
- Phishing attacks exploit the trust associated with Cloudflare Pages and Workers to create fake sites that mimic Microsoft 365 login pages and fake CAPTCHA checks to allegedly view or download a document.
- Phishing attacks that use HTML email attachments that are disguised as legitimate documents, such as invoices or HR policies, but contain embedded JavaScript code to perform malicious actions such as redirecting users to phishing sites, harvesting credentials, and tricking them into executing arbitrary commands under the guise of fixing an error (such as ClickFix ) .
- Phishing email campaigns that use reliable platforms I like it Docusign, Adobe InDesign and Google Accelerated Mobile Pages (AMP) to get users to click on malicious links that are designed to harvest their credentials.
- Phishing attempts that purport to come from Okta Support in an attempt to gain access to user credentials and hack into an organization’s systems.
- Phishing messages targeting Indian users distributed via WhatsApp and instruct recipients to install a malicious banking or utility application on Android devices capable of stealing financial information.
Threat actors are also known to be quick to use global events to their advantage by incorporating them into their phishing campaigns, often hunting for urgency and emotional reactions manipulate victims and induce them to do unintended actions. These efforts are also complemented by event-specific keyword domain registrations.
“High-profile global events, including sporting championships and product launches, attract cybercriminals looking to take advantage of the public interest,” Palo Alto Networks Division 42. said. “These criminals register fraudulent domains impersonating official websites to sell counterfeit goods and offer fraudulent services.”
“By monitoring key metrics such as domain registrations, text patterns, DNS anomalies and change request trends, security teams can detect and mitigate threats in a timely manner.”
