Be careful if you receive a message from a colleague in Microsoft Teams.
Truesec specialists have discovered a new phishing campaign in which attackers used the Microsoft Teams corporate messenger to send malicious files that activate the installation of the DarkGate Loader malware on victims computers.
The attack began with two compromised Office 365 accounts that sent phishing messages to Microsoft Teams to the work addresses of employees of various organizations. The messages suggested opening a ZIP file called "Vacation Schedule Changes". Clicking on the attachment started downloading a ZIP file from SharePoint, which contained an LNK file disguised as a PDF document.
Sample phishing email
The malicious LNK file contains a VBScript that initiates the installation of the DarkGate Loader virus. To evade anti-virus systems, the download process uses the Windows cURL utility to get executable files and malware scripts.
The resulting script is pre-compiled and contains so-called "magic bytes" associated with AutoIt scripts, which allows you to hide malicious code. Before activation, the script checks for Sophos antivirus on the victim's computer. If it is not present, the script decrypts the additional code and runs the shellcode that creates the DarkGate executable file in RAM.
The DarkGate malware supports a wide range of malicious actions, including installing an hVNC connection for remote access, cryptocurrency mining, Reverse Shell configuration, keylogging, clipboard hijacking, and stealing information (files, browser data).
While DarkGate is not yet a widespread threat, its expanding focus and use of multiple infection paths make it a new threat that requires careful monitoring. However, Microsoft did not take any measures to eliminate the threat, limiting itself only to recommendations for administrators to improve security.
The DarkGate malware supports a wide range of malicious activities from remote access to data theft. In June, security researchers discovered a new MalSpam phishing campaign that infected victims devices with DarkGate.According to Telekom Security experts, the sudden surge in DarkGate activity may be due to the fact that the malware developer began renting it out to a limited circle of affiliates. Prices for a DarkGate subscription start at $1,000 per day and go up to $100,000 per year.
Truesec specialists have discovered a new phishing campaign in which attackers used the Microsoft Teams corporate messenger to send malicious files that activate the installation of the DarkGate Loader malware on victims computers.
The attack began with two compromised Office 365 accounts that sent phishing messages to Microsoft Teams to the work addresses of employees of various organizations. The messages suggested opening a ZIP file called "Vacation Schedule Changes". Clicking on the attachment started downloading a ZIP file from SharePoint, which contained an LNK file disguised as a PDF document.
Sample phishing email
The malicious LNK file contains a VBScript that initiates the installation of the DarkGate Loader virus. To evade anti-virus systems, the download process uses the Windows cURL utility to get executable files and malware scripts.
The resulting script is pre-compiled and contains so-called "magic bytes" associated with AutoIt scripts, which allows you to hide malicious code. Before activation, the script checks for Sophos antivirus on the victim's computer. If it is not present, the script decrypts the additional code and runs the shellcode that creates the DarkGate executable file in RAM.
The DarkGate malware supports a wide range of malicious actions, including installing an hVNC connection for remote access, cryptocurrency mining, Reverse Shell configuration, keylogging, clipboard hijacking, and stealing information (files, browser data).
While DarkGate is not yet a widespread threat, its expanding focus and use of multiple infection paths make it a new threat that requires careful monitoring. However, Microsoft did not take any measures to eliminate the threat, limiting itself only to recommendations for administrators to improve security.
The DarkGate malware supports a wide range of malicious activities from remote access to data theft. In June, security researchers discovered a new MalSpam phishing campaign that infected victims devices with DarkGate.According to Telekom Security experts, the sudden surge in DarkGate activity may be due to the fact that the malware developer began renting it out to a limited circle of affiliates. Prices for a DarkGate subscription start at $1,000 per day and go up to $100,000 per year.
