Vishing via Microsoft Teams Facilitates DarkGate Malware Intrusion
The Trend Micro Managed Detection and Response (MDR) team analyzed a recent security incident in which a user was targeted by an attacker posing as an employee of a known client on a Microsoft Teams call to gain remote access to the victim’s system. Via this vishing technique, the adversary instructed the victim to download remote desktop software applications like AnyDesk which the adversary subsequently utilized to deploy DarkGate malware. DarkGate, distributed via an AutoIt script, enabled remote control over the user's machine, executed malicious commands, gathered system information, and connected to a command-and-control server. This analysis conducted by Trend Micro discusses this multi-stage infection chain in detail.
From the sample case observed, Trend Micro witnessed the attacker use social engineering to manipulate the victim to gain access and control over a computer system. Similar to a Rapid7 blog post about Black Basta DarkGate activity, the adversary begins their assault by email bombing the potential victim. Subsequently, the victim receives a Microsoft Teams call from someone claiming to be an employee from a trusted third-party supplier. In the activity observed by Trend Micro, the threat actor cycled through remote access software until he could manipulate the victim into successfully downloading one of them, in this case, AnyDesk. AnyDesk is executed with elevated system privileges and within a few minutes, the adversary loads a malicious DLL file via side-loading. This DLL prompts a login form for harvesting credentials, and while this form executes, multiple malicious commands gather system and network information. The attacker utilizes process injection to connect to the external IP address 79.60.149[.]194:80. A VBScript is then executed which drops the DarkGate payload and DarkGate establishes persistence using multiple files and a registry entry.
Security Officer Comments:
This sophisticated campaign’s AV evasion techniques and unconventional phishing attempts highlight the modern challenges defenders face. In this case, analyzed by Trend Micro, the attack was prevented before the attacker achieved their objective. None of the witnessed activity led to data exfiltration. Although DarkGate is primarily distributed through phishing emails, malvertising, and SEO poisoning, Microsoft Teams vishing attacks have recently been observed by Trend Micro, Microsoft, and Rapid7, underscoring a shift in the adversary’s tactics as they verify the effectiveness of their initial access techniques on new initial access vectors. To effectively combat the evolving threat landscape, organizations must prioritize a layered security approach.
Suggested Corrections:
IOCs are available here.
Link(s):
https://www.darkreading.com/cyberattacks-data-breaches/vishing-via-microsoft-teams-spreads-darkgate-rat
https://www.trendmicro.com/en_us/research/24/l/darkgate-malware.html