DarkGate Threatens Microsoft Teams With Phishing Attack

Microsoft Teams messages are being threatened by a new phishing campaign, DarkGate, which sends malicious attachments installing DarkGate Loader malware, reports Bleeping Computer. DarkGate is a potent malware that supports a wide range of malicious activities, including hVNC for remote access, cryptocurrency mining, reverse shell, keylogging, clipboard stealing, and information stealing from files and browser data.

The campaign began in late August 2023 when Microsoft Teams phishing messages were sent by two compromised external Office 365 accounts to other organizations. The Office 365 accounts were used to trick Microsoft Teams users into downloading and opening a ZIP file named “Changes to the vacation schedule.”

A download of the ZIP from a SharePoint URL containing an LNK file that masqueraded as a PDF document is triggered by clicking on the attachment.

The attachments contain malicious VBScript, triggering an infection chain that leads to a payload identified as the DarkGate Loader. To evade detection, the download process uses Windows URL to fetch the malware’s executable and script files.

This campaign is an example of Microsoft Teams phishing that was previously demonstrated in a June 2023 report by cybersecurity company Jumpsec. The method involves sending malicious messages to other organizations through phishing and social engineering, similar to what was observed in this attack.

Despite concerns, Microsoft still has not addressed this risk comprehensively. Instead, the company recommended that admins apply safe configurations like narrow-scoped allow-lists and disable external access if it isn’t needed.

There have been multiple reports of DarkGate distribution ramping up and using various channels including phishing and malvertising. It may not be a widespread threat yet, but DarkGate has expanded its targeting and adoption of multiple infection avenues. This makes it an emerging threat that should be monitored closely.