18 December 2024

Threat actors use MS Teams vishing technique to deploy DarkGate malware


Threat actors use MS Teams vishing technique to deploy DarkGate malware

A threat actor has been observed leveraging vishing (voice phishing) technique involving Microsoft Teams to distribute the DarkGate malware, gaining unauthorized remote access to the victim’s computer network.

As per cybersecurity firm Trend Micro, the attacker initiated contact with the victim by impersonating an employee of a known client during a Microsoft Teams call and convinced the victim to download the remote desktop application AnyDesk, which facilitated the deployment of the DarkGate malware.

According to Trend Micro, the victim first received several thousand emails, potentially to overwhelm and distract them. The attacker posed as an external supplier during a Teams call, using social engineering to build trust and manipulate the victim.

Initially, the threat actor instructed the victim to download the Microsoft Remote Support application. After the download failed due to installation issues, the attacker directed the victim to download AnyDesk through a web browser and then manipulated the victim into entering credentials into the AnyDesk application, enabling remote access.

Once the AnyDesk tool was installed, the attacker executed several commands to start AnyDesk as a local service with elevated privileges.

The command-line tool cmd.exe invoked rundll32.exe to load a malicious DLL file named SafeStore.dll. A login form prompted for credentials, but even without user input, malicious processes began executing in the background to gather system information and establish control.

The executable file SystemCert.exe was used to create script.a3x and AutoIt3.exe, which evaded detection and loaded the DarkGate script into memory.

AutoIt3.exe injected a process into MicrosoftEdgeUpdateCore.exe, which then connected to a command-and-control (C2) server. A PowerShell command executed the final DarkGate payload, solidifying the attacker’s control over the system.

DarkGate is a highly sophisticated malware variant designed to steal sensitive data; execute unauthorized commands; collect system information; maintain persistence through file and registry modifications.

By leveraging an AutoIt script, the malware employed advanced evasion techniques to remain undetected while connecting to a C2 server for further instructions.


Back to the list

Latest Posts

Cybersecurity Week in Review: January 24, 2025

Cybersecurity Week in Review: January 24, 2025

In brief: SonicWall SMA zero-day exploited in attacks, hackers are exploiting older Ivanti flaws, and more.
24 January 2025
AIRASHI DDoS botnet exploits a zero-day vulnerability in cnPilot routers

AIRASHI DDoS botnet exploits a zero-day vulnerability in cnPilot routers

The attacks have been active since June 2024.
23 January 2025
SonicWall SMA zero-day exploited in attacks

SonicWall SMA zero-day exploited in attacks

SonicWall has released a patch in version 12.4.3-02854 and higher versions to address the issue.
23 January 2025