The DarkGate remote access Trojan (RAT) has recently taken a troubling turn with a new attack vector. This time, a threat actor targeted a Microsoft Teams user through a voice call in order to gain access to their device, according to researchers.
This new method of attack adds to the already alarming ways in which the DarkGate RAT has been spreading. Previous methods included phishing emails, malvertising, hijacking Skype and Teams messages, as well as search engine optimization (SEO) poisoning. The discovery of the voice phishing, or vishing, attack was made by researchers at Trend Micro.
In this particular instance, the attacker initially tried to install a Microsoft remote support application on the user’s device but was unsuccessful. Undeterred, the cybercriminal then resorted to social engineering tactics, convincing the victim to download the AnyDesk tool for remote access, ultimately achieving their malicious goal.
Once the victim downloaded AnyDesk, the attacker established a connection to a command-and-control (C2) server and loaded multiple “suspicious files” onto the victim’s machine, one of which was the DarkGate RAT. This allowed the attacker to take remote control of the user’s device, execute malicious commands, gather system information, and connect back to the C2 server.
The multistage vishing attack began with a flood of phishing emails sent to the victim, followed by a seemingly legitimate Microsoft Teams call for technical support. The caller, pretending to be an employee of an external supplier, instructed the victim to download the Microsoft Remote Support application. When that failed, the victim was guided to download AnyDesk and input their credentials, unwittingly opening the door for the attacker.
DarkGate is known for its extensive capabilities, including executing commands to gather system information, mapping networks, and carrying out directory traversal. It can also launch various remote access software, such as RDP, AnyDesk, and other tools. Additionally, it supports cryptocurrency mining, keylogging, privilege escalation, and data theft from browsers. It has also been observed to deliver additional payloads, like the Remcos RAT.
Despite the attack being thwarted before any data could be exfiltrated, the incident underscores the need for heightened security measures against such sophisticated threats. To protect against vishing attacks, organizations are advised to educate employees on the signs of such attacks and stay informed about the latest tactics.
Furthermore, organizations should thoroughly vet third-party technical support providers, establish cloud-vetting processes for remote access tools, whitelist approved applications, block unverified tools, and implement multifactor authentication on remote access tools. By taking these proactive steps, organizations can reduce the risk of falling victim to social engineering attacks and enhance their overall security posture.