In a recent surge of cyber threats, attackers are exploiting Microsoft Teams, a widely used collaboration platform. The attackers employ phishing tactics, leveraging compromised Teams accounts to send over 1,000 malicious group chat invites.
The alarming incident features the DarkGate malware, which easily infects the systems once installed.
Compromised Teams Accounts as Conduits
According to cybersecurity researchers, the hackers have compromised Microsoft Teams through its new phishing attack—by deploying the DarkGate malware.
In a blog post by AT&T Cybersecurity Research, the attackers, appearing as compromised Teams users or domains, strategically send malicious group chat invites. The team unveiled that this deceptive technique is a crucial component of their strategy to access victims' systems.
Related Article: Microsoft Outlook Security Flaw Exposed: NTLM v2 Passwords at Risk
Tricking Users into Malicious Downloads
Once the targets accept the chat request, the attackers employ a classic DarkGate tactic. They trick users into downloading a file with a double extension named "Navigating Future Changes October 2023.pdf.msi." This seemingly innocuous file harbors the DarkGate malware payload.
"Unless absolutely necessary for daily business use, disabling External Access in Microsoft Teams is advisable for most companies, as email is generally a more secure and more closely monitored communication channel. As always, end users should be trained to pay attention to where unsolicited messages are coming from and should be reminded that phishing can take many forms beyond the typical email," AT&T Cybersecurity network security engineer Peter Boyle warned.
DarkGate Malware Unleashed
Upon installation, the DarkGate malware connects to its command-and-control server at hgfdytrywq[.]com. This server, identified by Palo Alto Networks, is a confirmed part of the DarkGate malware infrastructure. DarkGate, known for its multifaceted capabilities, poses a significant threat to victims' systems.
Microsoft Teams Vulnerabilities
It's clear now that this phishing attack exposes how vulnerable the Microsoft Teams platform is. The platform, by default, allows external users to message users in other tenants. Threat actors capitalize on this, making Microsoft Teams an attractive target due to its massive user base of 280 million monthly users.
Rising Trends in DarkGate Exploitation
According to Bleeping Computer, the DarkGate malware has emerged as a preferred tool for cybercriminals seeking initial access to corporate networks, especially after the disruption of the Qakbot botnet.
The surge in DarkGate infections is evident, with cybercriminals utilizing various delivery methods, including phishing and malvertising.
The surge in DarkGate infections follows an attempt by its purported developer to sell $100,000 annual subscriptions on a hacking forum. DarkGate boasts concealed VNC capabilities, tools to bypass Windows Defender, a browser history theft tool, an integrated reverse proxy, a file manager, and a Discord token stealer.
In other news, Cisco alerted users that malware hit its software. Remote attackers injected security flaws into it, prompting it to launch an emergency patch.
For more reports about malware and the like, click here.
Read Also: Keenan & Associates Alerts 1.5 Million People That Hackers Accessed Data in Recent Breach
