Vishing via Microsoft Teams Facilitates DarkGate Malware Intrusion
Summary:
The Trend Micro Managed Detection and Response (MDR) team analyzed a recent security incident in which a user was targeted by an attacker posing as an employee of a known client on a Microsoft Teams call to gain remote access to the victim’s system. Via this vishing technique, the adversary instructed the victim to download remote desktop software applications like AnyDesk which the adversary subsequently utilized to deploy DarkGate malware. DarkGate, distributed via an AutoIt script, enabled remote control over the user's machine, executed malicious commands, gathered system information, and connected to a command-and-control server. This analysis conducted by Trend Micro discusses this multi-stage infection chain in detail.
From the sample case observed, Trend Micro witnessed the attacker use social engineering to manipulate the victim to gain access and control over a computer system. Similar to a Rapid7 blog post about Black Basta DarkGate activity, the adversary begins their assault by email bombing the potential victim. Subsequently, the victim receives a Microsoft Teams call from someone claiming to be an employee from a trusted third-party supplier. In the activity observed by Trend Micro, the threat actor cycled through remote access software until he could manipulate the victim into successfully downloading one of them, in this case, AnyDesk. AnyDesk is executed with elevated system privileges and within a few minutes, the adversary loads a malicious DLL file via side-loading. This DLL prompts a login form for harvesting credentials, and while this form executes, multiple malicious commands gather system and network information. The attacker utilizes process injection to connect to the external IP address 79.60.149[.]194:80. A VBScript is then executed which drops the DarkGate payload and DarkGate establishes persistence using multiple files and a registry entry.
Security Officer Comments:
This sophisticated campaign’s AV evasion techniques and unconventional phishing attempts highlight the modern challenges defenders face. In this case, analyzed by Trend Micro, the attack was prevented before the attacker achieved their objective. None of the witnessed activity led to data exfiltration. Although DarkGate is primarily distributed through phishing emails, malvertising, and SEO poisoning, Microsoft Teams vishing attacks have recently been observed by Trend Micro, Microsoft, and Rapid7, underscoring a shift in the adversary’s tactics as they verify the effectiveness of their initial access techniques on new initial access vectors. To effectively combat the evolving threat landscape, organizations must prioritize a layered security approach.
Suggested Corrections:
IOCs are available here.
https://www.darkreading.com/cyberattacks-data-breaches/vishing-via-microsoft-teams-spreads-darkgate-rat
https://www.trendmicro.com/en_us/research/24/l/darkgate-malware.html
The Trend Micro Managed Detection and Response (MDR) team analyzed a recent security incident in which a user was targeted by an attacker posing as an employee of a known client on a Microsoft Teams call to gain remote access to the victim’s system. Via this vishing technique, the adversary instructed the victim to download remote desktop software applications like AnyDesk which the adversary subsequently utilized to deploy DarkGate malware. DarkGate, distributed via an AutoIt script, enabled remote control over the user's machine, executed malicious commands, gathered system information, and connected to a command-and-control server. This analysis conducted by Trend Micro discusses this multi-stage infection chain in detail.
From the sample case observed, Trend Micro witnessed the attacker use social engineering to manipulate the victim to gain access and control over a computer system. Similar to a Rapid7 blog post about Black Basta DarkGate activity, the adversary begins their assault by email bombing the potential victim. Subsequently, the victim receives a Microsoft Teams call from someone claiming to be an employee from a trusted third-party supplier. In the activity observed by Trend Micro, the threat actor cycled through remote access software until he could manipulate the victim into successfully downloading one of them, in this case, AnyDesk. AnyDesk is executed with elevated system privileges and within a few minutes, the adversary loads a malicious DLL file via side-loading. This DLL prompts a login form for harvesting credentials, and while this form executes, multiple malicious commands gather system and network information. The attacker utilizes process injection to connect to the external IP address 79.60.149[.]194:80. A VBScript is then executed which drops the DarkGate payload and DarkGate establishes persistence using multiple files and a registry entry.
Security Officer Comments:
This sophisticated campaign’s AV evasion techniques and unconventional phishing attempts highlight the modern challenges defenders face. In this case, analyzed by Trend Micro, the attack was prevented before the attacker achieved their objective. None of the witnessed activity led to data exfiltration. Although DarkGate is primarily distributed through phishing emails, malvertising, and SEO poisoning, Microsoft Teams vishing attacks have recently been observed by Trend Micro, Microsoft, and Rapid7, underscoring a shift in the adversary’s tactics as they verify the effectiveness of their initial access techniques on new initial access vectors. To effectively combat the evolving threat landscape, organizations must prioritize a layered security approach.
Suggested Corrections:
IOCs are available here.
- Thoroughly vet third-party technical support providers. While legitimate third-party technical support services exist, organizations should ensure that any claims of vendor affiliation are directly verified before granting remote access to corporate systems. Cloud vetting processes should be established to evaluate and approve remote access tools, such as AnyDesk, by assessing their security compliance and the reputation of their vendors.
- Whitelist approved remote access tools and block any unverified applications. Organizations should integrate multi-factor authentication (MFA) on remote access tools to add an additional layer of protection by requiring multiple forms of verification before access is granted. This reduces the risk of malicious tools being used to gain control over internal machines.
- Provide employee training to raise awareness about social engineering tactics, phishing attempts, and the dangers of unsolicited support calls or pop-ups. Well-informed employees are less likely to fall victim to social engineering attacks, strengthening the organization’s overall security posture.
https://www.darkreading.com/cyberattacks-data-breaches/vishing-via-microsoft-teams-spreads-darkgate-rat
https://www.trendmicro.com/en_us/research/24/l/darkgate-malware.html