Microsoft Teams phishing pushes DarkGate malware via group chats

New phishing attacks abuse Microsoft Teams group chat requests to push malicious attachments that install DarkGate malware payloads on victims' systems.

The attackers used what looks like a compromised Teams user (or domain) to send over 1,000 malicious Teams group chat invites, according to AT&T Cybersecurity research.

After the targets accept the chat request, the threat actors trick them into downloading a file using a double extension named 'Navigating Future Changes October 2023.pdf.msi,' a common DarkGate tactic.

Once installed, the malware will reach out to its command-and-control server at hgfdytrywq[.]com, which is already confirmed as part of DarkGate malware infrastructure by Palo Alto Networks.

This phishing attack is possible because Microsoft allows external Microsoft Teams users to message other tenants' users by default.

"Unless absolutely necessary for daily business use, disabling External Access in Microsoft Teams is advisable for most companies, as email is generally a more secure and more closely monitored communication channel," warned AT&T Cybersecurity network security engineer Peter Boyle.

"As always, end users should be trained to pay attention to where unsolicited messages are coming from and should be reminded that phishing can take many forms beyond the typical email."

Microsoft Teams has become an attractive target for threat actors due to its massive pool of 280 million monthly users. DarkGate operators capitalize on this by pushing their malware through Microsoft Teams in attacks targeting organizations where admins haven't secured their tenants by disabling the External Access setting.

Similar campaigns were observed last year pushing DarkGate malware via compromised external Office 365 accounts and Skype accounts that sent messages containing VBA loader script attachments.

Initial access brokers like Storm-0324 have also used Microsoft Teams for phishing to breach corporate networks with the help of a publicly available tool called TeamsPhisher that exploits a security issue in Microsoft Teams.

TeamsPhisher enables attackers to send malicious payloads despite client-side protections that should block file delivery from external tenant accounts.

APT29, a hacking division of Russia's Foreign Intelligence Service (SVR), exploited the same issue to target dozens of organizations worldwide, including government agencies.

​Surge of DarkGate malware attacks

In the wake of international collaborative efforts that disrupted the Qakbot botnet in August, cybercriminals have increasingly turned to the DarkGate malware loader as their preferred means of initial access to corporate networks.

Before the Qakbot botnet was taken down, an individual claiming to be the developer of DarkGate attempted to sell $100,000 annual subscriptions on a hacking forum.

DarkGate's developer said it includes many capabilities, such as a concealed VNC, tools to bypass Windows Defender, a browser history theft tool, an integrated reverse proxy, a file manager, and a Discord token stealer.

After the developer's announcement, there has been a notable surge in reported DarkGate infections, with cybercriminals employing various delivery methods, including phishing and malvertising.