In the ever-evolving world of cyber threats, attackers are constantly finding new ways to exploit vulnerabilities. A recent security alert has highlighted a concerning trend of phishing attacks targeting Microsoft Teams users through group chats. These attacks aim to deceive unsuspecting victims into downloading malicious attachments that install DarkGate malware, posing a significant risk to organizations and their systems.
The Attack Strategy:
According to ATT Cybersecurity research, the attackers behind this campaign leverage compromised Teams user accounts or domains to send out over 1000 malicious Teams group chat invites. Once a target accepts the chat request, they are tricked into downloading a file with a double extension named “Navigating Future Changes October 2023.pdf.msi,” a common DarkGate tactic.
The DarkGate Malware:
DarkGate is a dangerous malware variant that establishes communication with a command-and-control server located at hgfdytrywq[.]com. Palo Alto Networks has already confirmed this server as part of the DarkGate infrastructure. Once installed, DarkGate grants unauthorized access to a victim’s system, allowing threat actors to carry out various malicious activities.
Microsoft Teams as an Attractive Target:
With a massive user base of 280 million monthly users, Microsoft Teams has become an attractive target for cybercriminals. DarkGate operators exploit this by pushing their malware through Teams, specifically targeting organizations where administrators haven’t disabled the External Access setting. This setting allows external Teams users to message users within other tenants by default, creating an opportunity for attackers to exploit.
Similar Campaigns and Exploits:
This is not the first time DarkGate malware has been distributed through Microsoft platforms. Last year, compromised Office 365 and Skype accounts were used to send messages with VBA loader script attachments, delivering the malware. Additionally, cybercriminals, including the APT29 hacking division, have exploited a security issue in Microsoft Teams to breach corporate networks.
The Rise of DarkGate Malware Attacks:
DarkGate has gained popularity among cybercriminals as an initial access tool to infiltrate corporate networks. In the wake of disruptive efforts against the Qakbot botnet, there has been a surge in reported DarkGate infections. DarkGate offers various capabilities, including bypassing Windows Defender, stealing browser history, acting as a reverse proxy, managing files, and even stealing Discord tokens.
Protecting Against DarkGate and Similar Attacks:
To mitigate the risk posed by DarkGate and phishing attacks exploiting Microsoft Teams, organizations are advised to disable External Access unless absolutely necessary for daily business operations. Additionally, training end-users to be cautious of unsolicited messages and emphasizing that phishing attacks can come in various forms beyond traditional email is crucial.
The increasing number of phishing attacks targeting Microsoft Teams users and the dissemination of DarkGate malware via group chats is a cause for concern. Organizations and individuals must remain vigilant, implement security best practices, and stay informed about the latest threats. Constantly evolving security measures and user awareness are pivotal in mitigating the risk of such attacks and safeguarding sensitive information.
Sergiu Gatlan. (January 30, 2024). “Microsoft Teams phishing pushes DarkGate malware via group chats.”