A threat actor has been observed leveraging vishing (voice phishing) technique involving Microsoft Teams to distribute the DarkGate malware, gaining unauthorized remote access to the victim’s computer network.
As per cybersecurity firm Trend Micro, the attacker initiated contact with the victim by impersonating an employee of a known client during a Microsoft Teams call and convinced the victim to download the remote desktop application AnyDesk, which facilitated the deployment of the DarkGate malware.
According to Trend Micro, the victim first received several thousand emails, potentially to overwhelm and distract them. The attacker posed as an external supplier during a Teams call, using social engineering to build trust and manipulate the victim.
Initially, the threat actor instructed the victim to download the Microsoft Remote Support application. After the download failed due to installation issues, the attacker directed the victim to download AnyDesk through a web browser and then manipulated the victim into entering credentials into the AnyDesk application, enabling remote access.
Once the AnyDesk tool was installed, the attacker executed several commands to start AnyDesk as a local service with elevated privileges.
The command-line tool cmd.exe invoked rundll32.exe to load a malicious DLL file named SafeStore.dll. A login form prompted for credentials, but even without user input, malicious processes began executing in the background to gather system information and establish control.
The executable file SystemCert.exe was used to create script.a3x and AutoIt3.exe, which evaded detection and loaded the DarkGate script into memory.
AutoIt3.exe injected a process into MicrosoftEdgeUpdateCore.exe, which then connected to a command-and-control (C2) server. A PowerShell command executed the final DarkGate payload, solidifying the attacker’s control over the system.
DarkGate is a highly sophisticated malware variant designed to steal sensitive data; execute unauthorized commands; collect system information; maintain persistence through file and registry modifications.
By leveraging an AutoIt script, the malware employed advanced evasion techniques to remain undetected while connecting to a C2 server for further instructions.