January 30, 2024 at 12:47PM
A recent phishing attack leverages Microsoft Teams group chat requests to distribute DarkGate malware via deceptive file attachments. Attackers exploit the default external messaging access and employ tactics such as double file extensions to trick victims. Organizations are advised to consider disabling External Access and to educate users on recognizing and avoiding phishing attempts.
Based on the meeting notes, the key takeaways are:
– New phishing attacks are abusing Microsoft Teams group chat requests to push malicious attachments that install DarkGate malware payloads on victims’ systems.
– The attackers used a compromised Teams user to send over 1,000 malicious Teams group chat invites, and after the targets accept the chat request, they are tricked into downloading a file using a double extension named ‘Navigating Future Changes October 2023.pdf.msi.’
– Once installed, the malware will reach out to its command-and-control server at hgfdytrywq[.]com, which is already confirmed as part of DarkGate malware infrastructure by Palo Alto Networks.
– It is advisable for most companies to disable External Access in Microsoft Teams unless absolutely necessary for daily business use, as email is generally a more secure and closely monitored communication channel.
– AT&T Cybersecurity network security engineer Peter Boyle warned that end users should be trained to pay attention to where unsolicited messages are coming from and be reminded that phishing can take many forms beyond the typical email.
– Microsoft Teams has become an attractive target for threat actors due to its massive pool of 280 million monthly users, and DarkGate operators capitalize on this by pushing their malware through Microsoft Teams in attacks targeting organizations where admins haven’t secured their tenants by disabling the External Access setting.
– Similar campaigns were observed last year pushing DarkGate malware via compromised external Office 365 accounts and Skype accounts that sent messages containing VBA loader script attachments.
– Initial access brokers like Storm-0324 have also used Microsoft Teams for phishing to breach corporate networks with the help of a publicly available tool called TeamsPhisher that exploits a security issue in Microsoft Teams.
– APT29, a hacking division of Russia’s Foreign Intelligence Service (SVR), also exploited the same issue to target dozens of organizations worldwide, including government agencies.
– After the disruption of the Qakbot botnet, cybercriminals have increasingly turned to the DarkGate malware loader as their preferred means of initial access to corporate networks.
– DarkGate’s developer announced its capabilities, including a concealed VNC, tools to bypass Windows Defender, a browser history theft tool, an integrated reverse proxy, a file manager, and a Discord token stealer, leading to a surge in reported DarkGate infections.
– Cybercriminals are employing various delivery methods for DarkGate malware, including phishing and malvertising.
Let me know if you need any further information or details.