Monday, July 15, 2024

Hackers Using Microsoft Teams to Deliver DarkGate Malware Via HR-themed Messages

Recent reports indicate that threat actors have been using Microsoft Teams to deliver DarkGate Loader malware.

The campaign originated from two compromised external Office 365 accounts identified to be “Akkaravit Tattamanas” ([email protected]) and “ABNER DAVID RIVERA ROJAS” ([email protected])

DarkGate loader malware was introduced in 2017 but was only being used by its original developer. However, in June 2023, the malware developer started to advertise it on several cybercrime forums as Malware-as-a-service (MaaS).

It was traditionally spread via email until one of the operators had other ideas and started to use Microsoft Teams to deliver the malware. The message context sent to the victims consisted of an HR-themed social engineering chat message.

Hackers Using Microsoft Teams

Further investigations revealed that the chat messages consisted of an externally hosted Sharepoint link, which contains a ZIP file under the name “Changes to the vacation”

Phishing message on Microsoft Teams (Source: Truesec)

Once the victims download this ZIP file, it consists of an LNK file (shortcut) disguised as a PDF document and has the name “Changes to the vacation schedule.pdf.lnk”.

LNK file (shortcut) disguised as a PDF file

Further analysis of the LNK file revealed that if opened, the file has several commands for a chain of execution, which will initially create a VBScript file with the name “asrxmp.vbs” in the C:\tpgh\ directory and execute it automatically.

Once the VBScript file gets executed, it downloads the file from the remote server hXXp:// 5[.]188[.]87[.]58:2351/wbzadczl and executes it. This execution leads to the use of the Windows version of cURL (renamed to wbza) for downloading and executing Autoit3.exe and the bundled script eszexz.au3. 

This AutoIT script drops another shellcode file and checks if Sophos is installed before executing it. If not, the AutoIT script deobfuscates its code further and launches the shellcode.

This final shellcode execution creates a file byte to byte to load a new Windows executable identified as the “DarkGate loader” malware.

A complete report has been published by Truesec, which provides detailed information about the deobfuscation, configuration analysis, and other information about this DarkGate loader malware.

“Unfortunately, current Microsoft Teams security features such as Safe Attachments or Safe Links were not able to detect or block this attack.” reads the post by Truesec. This campaign was detected due to the security awareness training of the recipients.

Organizations and IT administrators are recommended to implement some security features, including allowing Microsoft Teams chat requests from specific external domains and creating a whitelist of trusted domains.

It is also recommended that organizations train their employees in cyber security awareness, which can educate all the employees and prevent future attacks.

Indicators of Compromise

FilenameSHA256 Hash
Changes to the vacation schedule.zip0c59f568da43731e3212b6461978e960644be386212cc448a715dbf3f489d758
Changes to the vacation schedule.pdf.lnkbcd449470626f4f34a15be00812f850c5e032723e35776fb4b9be6c7be6c8913

Command & Control Server

  • hXXp://5[.]188[.]87[.]58:2351

Compromised Email Addresses

Keep informed about the latest Cyber Security News by following us on Google NewsLinkedinTwitter, and Facebook.


Latest articles

Critical Cellopoint Secure Email Gateway Flaw Let Attackers Execute Arbitrary Code

A critical vulnerability has been discovered in the Cellopoint Secure Email Gateway, identified as...

Singapore Banks to Phase out OTPs for Bank Account Logins Within 3 Months

The Monetary Authority of Singapore (MAS) and The Association of Banks in Singapore (ABS)...

GuardZoo Android Malware Attacking military personnel via WhatsApp To Steal Sensitive Data

A Houthi-aligned group has been deploying Android surveillanceware called GuardZoo since October 2019 to...

ViperSoftX Weaponizing AutoIt & CLR For Stealthy PowerShell Execution

ViperSoftX is an advanced malware that has become more complicated since its recognition in...

Malicious NuGet Campaign Tricking Developers To Inject Malicious Code

Hackers often target NuGet as it's a popular package manager for .NET, which developers...

Akira Ransomware Attacking Airline Industry With Legitimate Tools

Airlines often become the target of hackers as they contain sensitive personal and financial...

DarkGate Malware Exploiting Excel Files And SMB File Shares

DarkGate, a Malware-as-a-Service (MaaS) platform, experienced a surge in activity since September 2023, employing...
Eswar is a Cyber security content editor with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news.

Free Webinar

Low Rate DDoS Attack

9 of 10 sites on the AppTrana network have faced a DDoS attack in the last 30 days.
Some DDoS attacks could readily be blocked by rate-limiting, IP reputation checks and other basic mitigation methods.
More than 50% of the DDoS attacks are employing botnets to send slow DDoS attacks where millions of IPs are being employed to send one or two requests per minute..
Key takeaways include:

  • The mechanics of a low-DDoS attack
  • Fundamentals of behavioural AI and rate-limiting
  • Surgical mitigation actions to minimize false positives
  • Role of managed services in DDoS monitoring

Related Articles