Specialists of Truesec have recently discovered a new phishing campaign that utilizes the corporate Microsoft Teams Messenger to distribute malicious files. The attackers behind this campaign are using it to activate the installation of the Darkgate Loader on their victims’ systems.
The attack initially involved two compromised Office 365 accounts that sent phishing messages to employees of various organizations via Microsoft Teams. The messages contained a ZIP file attachment named “Changes in the vacation schedule” and encouraged recipients to open it. Once the attachment was clicked, a ZIP file was downloaded from SharePoint, containing an LNK file that was disguised as a PDF document.
Upon inspection, the LNK file was found to contain a VBScript that triggers the installation of the DarkGate Loader virus. To evade detection by antivirus systems, the loading process utilizes the Windows Curl utility to retrieve executable files and malicious software scripts. The resulting script is pre-compiled and conceals the malicious code using “magic bytes” associated with Autoit scenarios.
Before activation, the script verifies the presence of Sophos antivirus on the victim’s computer. If absent, the script decrypts additional code and executes a shell-code, creating the executable DarkGate file in the computer’s RAM. This enables the DarkGate malware to carry out various harmful actions, including remote access through HVNC-DECRYPTIONS, cryptocurrency mining, Reverse Shell, Cataloging, interception of the exchange buffer, and theft of information such as files and browser data.
While DarkGate has not yet posed a widespread threat, its expanding reach and multiple infection methods make it a new threat that requires thorough monitoring. However, Microsoft has not taken any measures to eliminate this threat, merely offering recommendations to administrators on enhancing safety measures.
In June, security researchers discovered a new Malspam phishing campaign that involved DarkGate infecting victims’ systems. Telekom Security experts believe that the recent surge in DarkGate activity may be due to the developer’s decision to rent it exclusively to a select group of affiliated individuals. The prices for DarkGate subscriptions range from $1000 per day to $100,000 per year.