A threat actor has been observed using vishing via Microsoft Teams to deploy DarkGate malware and gain remote control over the victim’s computer network.
Trend Micro reported that the attacker posed as an employee of a known client on an MS Teams call, enabling them to dupe the target user into downloading the remote desktop application AnyDesk, which then facilitated the deployment of DarkGate malware.
DarkGate is a sophisticated piece of malware designed to perform various malicious activities, including data theft, unauthorized access and system compromise. It can be distributed in numerous ways and is able to use advanced evasion techniques.
The case marks a notable evolution in how DarkGate is distributed, with the malware previously primarily deployed through phishing emails, malvertising and SEO poisoning.
Attacker Impersonates Supplier on Teams Call
The attacker used social engineering to gain initial access onto the victim’s device.
The target was first flooded with “several thousands of emails,” after which they were called on MS Teams by the attacker who claimed to be an employee of an external supplier.
Initially, the victim was instructed to download Microsoft Remote Support application. However, the installation via the Microsoft Store failed.
The attacker then instructed the user to download AnyDesk and manipulated them into entering their credentials into the app.
Seconds after downloading the app, the command “C:\Users\\Downloads\AnyDesk.exe” was executed. This command starts the AnyDesk remote desktop application as a local service on the system, meaning it can operate with elevated privileges or in a minimized/automated fashion.
Minutes later, cmd.exe was invoked to execute rundll32.exe to load SafeStore.dll, which Trend Micro believes was dropped via AnyDesk.exe.
The execution of SafeStore.dll prompted a login form for entering credentials. Even if the user did not enter any credentials, multiple malicious commands were running in the background which provided detailed information about the system, such as its configuration and network interfaces.
The executable file SystemCert.exe was also executed in the attack, which created the files script.a3x and AutoIt3.exe. These were used to evade detection and load and execute the DarkGate script into memory.
Autoit3.exe also executed the script.a3x to inject a process into MicrosoftEdgeUpdateCore.exe, which was then observed connecting to a command and control server.
Finally, a PowerShell command was executed to drop the DarkGate payload.
Post-installation, multiple files and a registry entry were created for persistence.
The attack was detected and prevented before the exfiltration of data was achieved.
How to Tackle MS Teams Vishing Attacks
The researchers said the case highlighted the evolving nature of social engineering attacks. They noted that Microsoft had documented a similar case, in which the attacker utilized vishing to trick a target into downloading QuickAssist to gain access to the system to distribute ransomware.
Trend Micro advised measures organizations should implement to address this type of technique.
- Thoroughly vet third-party technical support providers, ensuring any claims of vendor affiliation are directly verified before granting remote access to corporate systems
- Whitelist approved remote access tools and block any unverified applications
- Integrate multi-factor authentication (MFA) on remote access tools to add an additional layer of protection
- Provide employee training to raise awareness about the dangers of unsolicited support calls or pop-ups