Technology | 7 Minutes Reading
Microsoft Teams Phishing Attack Pushes DarkGate Malware, Beware
Microsoft Teams is one of the most common business communication and collaboration tools. However, due to this widespread use, there is a new threat where a Microsoft Teams phishing attack pushes DarkGate malware into workstations. Thus putting the privacy and security of millions of users at risk.
This write-up is here to spread awareness about key aspects of the case. After which, readers will be able to deploy prevention tactics to stay safe from not only DarkGate but other threats as well. So let’s start with why MS Teams has become the new playground for hackers.
Reasons for Phishing Through Microsoft Teams
The root cause of MS Teams being a target can be reduced to a single word. Popularity. This is not surprising at all, as according to the latest earnings reports, Microsoft themselves claim.
“When it comes to Teams, usage continues to grow, with more than 320 million monthly active users making Teams the place to work across chat, collaboration, meetings, and calling.”
Among these hundreds of millions of users, not everyone is equally cyber-aware. Thus providing the attackers with a large pool of victims to target.
Other reasons stem from the high popularity itself. In a rush to keep Teams the industry leader, Microsoft keeps it on a monthly update cycle. Most of which is focused on new features. As a result, security might take a back seat, creating just the opening that nefarious entities were waiting for.
Traditionally, hackers used to rely on people clicking on the malicious links sent via email. However, with improvements in spam protection, greater user awareness, and a reduction in email communication, hackers moved elsewhere. Which are none other than communication software like Teams.
One key aspect is the broader level of unawareness among even the most ardent users of MS Teams. Especially when it comes to security. During the setup, admins may overlook loopholes that transform into Microsoft Teams malware deployment sites. These allow external agents to impersonate an organization member.
Microsoft Teams does not have separate storage. It interacts with other Microsoft services like SharePoint and OneDrive to keep user data. Due to this, there exist multiple entry points for malware to get into your systems.
Now that we have a clear-cut idea of why MS Teams is used let’s study the DarkGate malware itself.
DarkGate and Why it’s Used in Microsoft Teams Phishing Attack
DarkGate, also sometimes referred to as MehCrypter, is a type of Remote Access Trojan, or RAT for short. It is a part of the M-a-a-S(Malware as a Service) family that can be deployed into the system (which here is MS Teams) as an innocent-looking program.
What makes it more dangerous than other malware is that DarkGate no longer requires direct access to the Microsoft Teams source environment. Meaning even external agents can deploy it.
A hacker or a group of them targets Teams with DarkGate for the following reasons.
- Enterprise-grade hardware is expensive but is ideal for operations like crypto mining. As DarkGate has special provisions to take over a host and start crypto mining. Many experts believe this is the primary objective of the attack.
- Another reason could be to make the device part of a botnet. This digital sleeper cell can then be used to commit further attacks like DDOS.
- They may use it to encrypt critical files and demand payment for decryption as well.
If we look at the cyber security timeline it is not new. As DarkGate first made its rounds on some darknet forums around 2018. Since then it was mostly forgotten until its creator resurfaced in 2023 with a new and improved version.
This upgrade saw the addition of a host of features like a remote desktop, file manager, and reverse proxy. Which made it more than sufficient to break into the MS Teams fortress. So let’s look at what investigators think happened during the recent breach. Understanding how these attacks work is the first step in protecting yourself.
Modus Operandi of DarkGate Phishing via Microsoft Teams
- A threat actor sends a link containing a .zip file from an impersonated account.
- Upon extracting the zip file, a .LNK file with the same name is found.
- Executing the .LNK file triggers a batch script, which then executes a Visual Basic script.
- The Visual Basic script initially establishes a directory and copies curl.exe into it, utilizing a randomly generated filename.
- With the renamed curl executable, the script proceeds to download both the legitimate AutoIt script interpreter and a malicious AutoIt script from the IP address: 5[.]188[.]87[.]58.
- The malicious AutoIt script injects a payload into existing legitimate processes in memory, identified as DARKGATE.
- Following injection, the target process generates a distinct AutoIT script tailored to each host.
- Furthermore, the script establishes a shortcut in the user’s Start Menu, ensuring automatic execution of the script with each login, thereby ensuring persistence across user sessions.
However, DarkGate is not the only time when Microsoft Teams security vulnerabilities have been exploited. Look at some other examples that also match this method of phishing.
Some Other Microsoft Teams Malware Attacks
Ever since its inception, Teams as a piece of technology have been in the crosshairs of malicious actors. So here are a few other instances that prove this is not the first time that Microsoft Teams has faced such a threat.
As soon as the news broke that the Microsoft Teams phishing attack pushes DarkGate malware security experts experienced a deja vu moment. As it was eerily similar to the one used by Midnight Blizzard” (APT29) in August of 2023 for MFA token theft.
Another one in recent memory is when Microsoft identified a threat actor dubbed “Storm-0324”. Which used the aptly named TeamsPhisher tool to send phishing attachments. It, in turn, led to the installation of a JSSLOADER file on the target system.
To combat these, we need specific guidelines. Don’t worry as this is exactly what we provide next.
Steps to Stay Safe from Microsoft Teams Malware like DarkGate
The saying “Prevention is better than cure” fits perfectly in this situation. So here are the preventive measures that can be used to avoid such an attack.
Move Away from Teams: Although it sounds absurd, there is logical reasoning behind it. MS Teams has come under attack time and time again. So, from a security point of view, it is too risky to use. Therefore, if possible, users can temporarily shift to an alternative platform and return when the vulnerability is patched out. Users should know that even the QR codes they get in the Teams chat may be used for Quishing.
Turn Off the External Tenant Connection: This malware utilizes the external tenant request as a means to penetrate the systems’ defenses. Unless absolutely necessary, admins should keep the option disabled.
Schedule Regular User Training: Most user training focuses on the utilization of the latest feature. However, it is equally important to teach the users about the different security vulnerabilities. As we saw, even when a Microsoft Teams phishing attack pushes DarkGate malware, it does so with the help of an unaware user.
Setting up an aiSOC station: This is the latest means of defensive cybersecurity. It monitors all the traffic going in and out automatically and releases alerts if any discrepancies are found. The security team can then act on it before any major incident.
Apart from the obvious. Tactics like a red team and a blue team, where the former simulates potential attacks and the latter attempts to stop them. This in-house setup identifies the most probable attack vectors and prepares the organization for an actual attack.
In this write-up, we get to know how a Microsoft Teams phishing attack pushes DarkGate malware without even a hint of suspicion. We covered how both technological and human lapses result in such an attack. It is mentioned here that it’s not the first time that Microsoft Teams has faced such a threat.
There have been other instances. However, there are techniques to prevent this from happening in your organization. Use these and prepare a secure MS Teams environment. If you suspect that such an attack has affected your systems, you might need Microsoft Teams forensics to confirm.