{"id":6623,"date":"2024-12-16T04:22:25","date_gmt":"2024-12-16T10:22:25","guid":{"rendered":"https:\/\/www.darkreading.com\/cyberattacks-data-breaches\/vishing-via-microsoft-teams-spreads-darkgate-rat"},"modified":"2024-12-16T04:22:25","modified_gmt":"2024-12-16T10:22:25","slug":"microsoft-teams-vishing-spreads-darkgate-rat","status":"publish","type":"post","link":"https:\/\/ddi.mohflo.net\/index.php\/2024\/12\/16\/microsoft-teams-vishing-spreads-darkgate-rat\/","title":{"rendered":"Microsoft Teams Vishing Spreads DarkGate RAT"},"content":{"rendered":"
<\/a><\/div>\n
<\/div>\n

The DarkGate remote access trojan (RAT) has a new attack vector: a threat actor targeted a Microsoft Teams user via a voice call to gain access to their device.<\/span><\/p>\n

The attack adds to the other methods for spreading the RAT, which previously has been propagated using <\/span>phishing emails<\/a><\/span>, malvertising, hijacking of <\/span>Skype and Teams messages<\/a><\/span>, and SEO poisoning, researchers said.<\/span><\/p>\n

Researchers at Trend Micro discovered the voice phishing, or <\/span>vishing attack<\/a><\/span>, in which an attacker initially tried to install a Microsoft remote support application to gain access to the user’s device, they revealed in a <\/span>recent blog post<\/a><\/span>. While this failed, the cyberattackers then used social engineering to convince the victim to download the AnyDesk tool for remote access, which they eventually achieved.<\/span><\/p>\n

The attacker loaded multiple “suspicious files” onto the victim’s machine via a connection that was established to a command-and-control (C2) server, one of which was DarkGate, according to Trend Micro. The RAT, distributed as usual via an AutoIt script, enabled remote control over the user’s machine, executed malicious commands, gathered system information, and connected to a command-and-control server (C2).<\/span><\/p>\n

A Multi-Stage Vishing Cyberattack<\/h2>\n

The multi-stage attack started off in a more typical DarkGate way, through a flood of thousands of phishing emails sent to the victim’s inbox. The emails were followed up with a Microsoft Teams call purportedly for technical support, which kicked off the vishing attack.<\/span><\/p>\n

The caller claimed to be an employee of an external supplier of the victim’s company needing assistance, and instructed the victim to download the Microsoft Remote Support application.<\/span><\/p>\n

“However, the installation via the Microsoft Store failed,” Trend Micro researchers Catherine Loveria, Jovit Samaniego, and Gabriel Nicoleta wrote in the post. “The attacker then instructed the victim to download AnyDesk via browser and manipulate the user to enter her credentials to AnyDesk.”<\/span><\/p>\n

The attacker used AnyDesk to set up a communication channel to C2 and initiate various malicious scripts and eventually a PowerShell command to drop DarkGate using the Autoit legitimate Windows automation and scripting tool favored by attackkers for obfuscation and defense evasion. Post installation, the attack also loaded files and a registry entry for persistence.<\/span><\/p>\n

Another Channel for Spreading DarkGate Malware<\/h2>\n

While ultimately the attack was stopped before data could be exfiltrated from the victim’s machine, it demonstrates DarkGate actors using yet another means to spread the formidable RAT, adding to a <\/span>long list<\/a><\/span> of previously used delivery methods, the researchers said.<\/span><\/p>\n

DarkGate has been used to target users around the world since at least 2017 and integrates multiple diverse and malicious functions. Among its capabilities are executing commands for gathering system information, mapping networks, and doing directory traversal, as well as launching remote desktop protocol (RDP), hidden virtual network computing, AnyDesk, and other remote access software.<\/span><\/p>\n

DarkGate also has features to support cryptocurrency mining, keylogging, privilege escalation, and stealing information from browsers, and is even known to carry additional payloads, including <\/span>other RATs<\/a><\/span> like REMCOS.<\/span><\/p>\n

How to Protect Against Sophisticated Vishing Attacks<\/h2>\n

Vishing attacks<\/a><\/span> are becoming ever more psychologically sophisticated, with attackers even <\/span>resorting to physical intimidation<\/a><\/span> to coerce victims into complying with demands. Training employees on signs of a <\/span>vishing attack<\/a><\/span>, including staying up to date on the latest tactics, is becoming increasingly important as these attacks escalate.<\/span><\/p>\n

“Well-informed employees are less likely to fall victim to social engineering attacks, strengthening the organization\u2019s overall security posture,” the researchers wrote.<\/span><\/p>\n

Organizations also should “thoroughly vet third-party technical support providers” to “ensure that any claims of vendor affiliation are directly verified before granting remote access to corporate systems, the researchers wrote. Moreover, they should establish cloud-vetting processes to evaluate and approve remote access tools, such as AnyDesk to assess security compliance and vendor reputation before putting them in use.<\/span><\/p>\n

Whitelisting approved remote access tools and blockinhg any unverified applications as well as integrating multi-factor authentication (MFA) on remote access tools also “reduces the risk of malicious tools being used to gain control over internal machines,” the researchers wrote.<\/span><\/p>\n

Source<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"

The DarkGate remote access trojan (RAT) has a new attack<\/p>\n","protected":false},"author":12,"featured_media":6624,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[1],"tags":[809],"class_list":["post-6623","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-uncategorized","tag-dark-reading"],"featured_image_urls":{"full":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/12\/microsoft-teams-vishing-spreads-darkgate-rat.png?fit=1920%2C1080&ssl=1",1920,1080,false],"thumbnail":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/12\/microsoft-teams-vishing-spreads-darkgate-rat.png?resize=150%2C150&ssl=1",150,150,true],"medium":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/12\/microsoft-teams-vishing-spreads-darkgate-rat.png?fit=300%2C169&ssl=1",300,169,true],"medium_large":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/12\/microsoft-teams-vishing-spreads-darkgate-rat.png?fit=640%2C360&ssl=1",640,360,true],"large":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/12\/microsoft-teams-vishing-spreads-darkgate-rat.png?fit=640%2C360&ssl=1",640,360,true],"1536x1536":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/12\/microsoft-teams-vishing-spreads-darkgate-rat.png?fit=1536%2C864&ssl=1",1536,864,true],"2048x2048":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/12\/microsoft-teams-vishing-spreads-darkgate-rat.png?fit=1920%2C1080&ssl=1",1920,1080,true],"chromenews-featured":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/12\/microsoft-teams-vishing-spreads-darkgate-rat.png?fit=1024%2C576&ssl=1",1024,576,true],"chromenews-large":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/12\/microsoft-teams-vishing-spreads-darkgate-rat.png?resize=825%2C575&ssl=1",825,575,true],"chromenews-medium":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/12\/microsoft-teams-vishing-spreads-darkgate-rat.png?resize=590%2C410&ssl=1",590,410,true]},"author_info":{"display_name":"Dark Reading","author_link":"https:\/\/ddi.mohflo.net\/index.php\/author\/darkreading\/"},"category_info":"Uncategorized<\/a>","tag_info":"Uncategorized","comment_count":"0","jetpack_featured_media_url":"https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/12\/microsoft-teams-vishing-spreads-darkgate-rat.png?fit=1920%2C1080&ssl=1","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts\/6623","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/users\/12"}],"replies":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/comments?post=6623"}],"version-history":[{"count":0,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts\/6623\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/media\/6624"}],"wp:attachment":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/media?parent=6623"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/categories?post=6623"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/tags?post=6623"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}