Recent findings by AT&T Cybersecurity have unearthed a sophisticated phishing operation targeting Microsoft Teams users. The campaign leverages group chat invitations to disseminate DarkGate malware, exploiting the platform’s extensive user base and default external communication settings. This development signifies a concerning trend in the cybersecurity landscape, highlighting the need for heightened vigilance and robust protective measures.
The Mechanism of the DarkGate Malware Attack
The attackers, seemingly operating from a compromised Teams user or domain, have dispatched over a thousand malicious group chat invitations. Unsuspecting recipients who accept these invitations are subsequently enticed into downloading deceitfully named files with double extensions, such as ‘Navigating Future Changes October 2023.pdf.msi.’ This tactic is a hallmark of the DarkGate malware, which, upon installation, establishes communication with its command-and-control server, known to be a component of the DarkGate infrastructure.
The Vulnerability of Microsoft Teams
The susceptibility of Microsoft Teams to such attacks arises from its default setting that permits external users to initiate conversations with users from other tenants. This openness, while facilitating broader communication, has inadvertently made the platform a lucrative target for cybercriminals. DarkGate operators are exploiting this vulnerability, particularly in organizations where the ‘External Access’ setting remains enabled, exposing them to potential breaches.
Peter Boyle, a network security engineer at AT&T Cybersecurity, advises companies to consider disabling External Access in Microsoft Teams unless it is indispensable for business operations. He emphasizes that email, being a more secure and closely monitored channel, should be preferred for external communications. Boyle also underscores the importance of user education in recognizing and responding to phishing attempts, which are not limited to email but can manifest in various forms.
Wider Implications and Previous Instances
The appeal of Microsoft Teams to threat actors is not lost, with its massive user base of 280 million monthly users serving as fertile ground for such campaigns. Apart from the recent DarkGate malware dissemination, similar tactics were previously observed where compromised Microsoft 365 and Skype accounts were used to distribute malware via messages containing VBA loader script attachments. Furthermore, tools like TeamsPhisher have been employed to circumvent client-side protections, enabling the delivery of malicious payloads from external tenant accounts. Notably, APT29, a division of Russia’s Foreign Intelligence Service (SVR), exploited similar vulnerabilities to target numerous global organizations, including government entities.
The Rise of DarkGate Malware
The disruption of the Qakbot botnet in August has inadvertently led cybercriminals to pivot to DarkGate malware as a preferred tool for gaining initial access to corporate networks. The DarkGate developer’s attempt to sell annual subscriptions on a hacking forum, coupled with its multifaceted capabilities ranging from concealed VNC to browser history theft and reverse proxy integration, signals a concerning escalation in DarkGate malware activities. Post the developer’s announcement, a noticeable increase in DarkGate infections has been reported, with various delivery methods including phishing and malvertising being utilized by cybercriminals.
The surge in DarkGate malware attacks, facilitated by phishing campaigns via Microsoft Teams, underscores the critical need for enhanced security protocols and user awareness. Organizations are urged to reassess their communication platform settings, prioritize secure channels, and educate their workforce on the evolving tactics of cybercriminals. As the landscape of cyber threats continues to evolve, a proactive and informed approach is paramount in safeguarding valuable data and maintaining the integrity of corporate networks.