December 13, 2024 at 03:04AM
Trend Micro researchers examined a social engineering attack where an attacker impersonated a client during a Microsoft Teams call. The victim was tricked into downloading AnyDesk, allowing remote access, which facilitated the installation of DarkGate malware. The attack was ultimately stopped before any data exfiltration occurred, highlighting security vulnerabilities.
**Meeting Takeaways: Trend Micro DarkGate Malware Incident Analysis**
1. **Incident Overview:**
– An attacker impersonated a client via Microsoft Teams, using social engineering to convince a user to download AnyDesk, thus gaining remote access to their system.
– Failed attempt to install a Microsoft Remote Support application led to the successful download of AnyDesk.
– Malicious files, including Trojan.AutoIt.DARKGATE.D, were executed, establishing a connection to a command-and-control (C&C) server.
2. **Execution and Discovery:**
– AnyDesk was executed as a local service, allowing the attacker to run further malicious commands that gathered system information.
– The attacker employed a DLL side-loading technique through SafeStore.dll, which permitted the execution of additional malware.
3. **Persistence and Command and Control:**
– The attacker created persistent files and registry entries to maintain access, even failing to exfiltrate data.
– Autoit3.exe was leveraged to inject scripts and connect to a C&C server (IP: 179.60.149.194) for further actions.
4. **Best Practice Recommendations:**
– Vet third-party support providers and verify claims of vendor affiliations before granting remote access.
– Whitelist approved remote access tools and utilize multi-factor authentication (MFA) for additional security.
– Conduct employee training on social engineering tactics, phishing, and handling unsolicited support interactions.
– Consider implementing a layered security approach, utilizing solutions like Trend Micro Apex One™ and Trend Micro Vision One™ for comprehensive detection and response to cyber threats.
5. **Threat Intelligence and Hunting Recommendations:**
– Use Trend Micro Vision One’s Threat Insights for proactive threat management and to stay informed about emerging threats and actor tactics.
– Employ hunting queries to detect potential malicious activities linked to DarkGate by identifying processes relevant to Autoit3 and associated scripts.
6. **Indicators of Compromise (IOCs):**
– Various SHA256 hashes related to malicious files and potential malware components were shared, indicating the nature of threats to look for in systems.
**Conclusion:** The incident underscores the risks associated with social engineering tactics, particularly through platforms like Microsoft Teams, and reinforces the need for comprehensive security measures and employee awareness to prevent similar attacks.