Trend Micro has revealed a new vector for cyberattacks: voice phishing (vishing) conducted via Microsoft Teams. This tactic was recently employed to distribute DarkGate malware, a sophisticated threat capable of remote access, data collection, and command-and-control operations.
The Trend Micro Managed Detection and Response (MDR) team analyzed the incident, uncovering how attackers leveraged vishing to manipulate a user into installing remote access software, ultimately deploying DarkGate malware.
The attack unfolded in several key stages:
- Social Engineering via Microsoft Teams: The attacker impersonated a legitimate client during a Teams call. The victim was inundated with thousands of phishing emails before receiving the call, creating a pretense for urgency. The attacker then instructed the victim to install AnyDesk, a remote access tool, after failing to install Microsoft Remote Support via the Microsoft Store.
- Remote Access and Malware Deployment:
- Once AnyDesk was installed, the attacker gained access to the system and dropped a series of suspicious files, including the Trojan.AutoIt.DARKGATE.D payload.
- An AutoIt script executed commands to connect to a command-and-control (C&C) server and deploy additional malicious payloads.
- Persistence and Evasion: DarkGate created multiple persistent files and registry entries to evade detection. The malware used DLL side-loading techniques to disguise its malicious activities, and further injected itself into legitimate processes like MicrosoftEdgeUpdateCore.exe.
Trend Micro notes: “The execution flow then loads other types of malware into memory to carry out subsequent stages of the attack.”
DarkGate, a versatile and potent malware, was observed performing several nefarious activities:
- System Discovery: Gathering detailed information about the system, including network configurations and hardware specifications.
- Command Execution: Running shell commands to retrieve system and network details.
- Antivirus Evasion: Searching for and attempting to bypass common antivirus software.
The malware utilized encrypted payloads, such as an AutoIt script (script.a3x), to inject itself into legitimate processes and establish communication with its C&C server. Trend Micro emphasized: “The encrypted AutoIt payload script.a3x decrypts itself in memory as shellcode and injects itself into remote processes.”
Trend Micro concludes: “DarkGate is primarily distributed through phishing emails, malvertising and SEO poisoning. However, in this case, the attacker leveraged voice phishing (vishing) to lure the victim. .”
Organizations must remain vigilant, combining advanced security measures with comprehensive user education to mitigate these emerging threats.
Related Posts:
- From Invoice to Infection: Darkgate’s Phishing Campaign Exposed
- New DarkGate Malware Campaign Exploits 0-day CVE-2024-21412 Flaw
- DarkGate Malware Resurfaces with New Campaign Tactics
- DarkGate and PikaBot: New Malware Threats Emerge from Advanced Phishing Campaign
