Microsoft Teams users targeted by phishing attack distributing DarkGate malware
A new phishing campaign leveraging an easily exploitable glitch in Microsoft Teams to deliver malware has been reported by researchers.
Delivering malware to Microsoft Teams users
Late last month, Truesec researchers spotted two compromised Microsoft 365 accounts sending HR-themed messages with a malicious attachment to corporate targets.
Both messages were the same: they claimed that due to unforeseen circumstances, changes had been made to the holiday schedule and the recipient might be affected.
The phishing message. (Source: Truesec)
The attachment – Holiday Calendar Changes.zip – is downloaded from a SharePoint site and, once opened, ultimately leads to the execution of an AutoIT script that launches shellcode to load the DarkGate Loader Windows executable.
The DarkGate Loader has been around since 2017. Initially used only by the developer, it recently became available to a limited number of affiliates.
The loader also has other features, including: cryptocurrency mining, browser history and cookie theft, remote access and control, and much more.
Phishing via Microsoft Teams is not new
As previously reported, Jumpsec researchers recently discovered a bug in Microsoft Teams that could allow bad actors to deliver malware to employee inboxes, bypassing client-side security controls that prohibit external tenants (users M365 outside the organization) to send files to employees. .
This avenue of attack was soon after made even easier with the release of a tool that automates the process – and cybercriminals and other attackers took note.
“Unfortunately, current Microsoft Teams security features such as secure attachments or secure links were unable to detect or block this attack,” Jakob Nordenlund, senior cybersecurity consultant at Truesec. concluded.
“Currently, the only way to prevent this attack vector within Microsoft Teams is to only allow Microsoft Teams chat requests from specific external domains, although this may have business implications since all Trusted external domains must be whitelisted by an IT administrator. »
