An incident involving a threat actor using vishing via Microsoft Teams to deploy DarkGate malware and gain remote control over a victim’s computer network has been reported by Trend Micro. The attacker reportedly posed as an employee of a known client during an MS Teams call, tricking the target user into downloading the remote desktop application AnyDesk, which then facilitated the deployment of DarkGate malware.
DarkGate malware is a sophisticated piece of malicious software known for carrying out various harmful activities such as data theft, unauthorized access, and system compromise. This particular case signifies a significant shift in the distribution method of DarkGate, as it was previously mainly spread through phishing emails, malvertising, and SEO poisoning.
In this instance, the attacker utilized social engineering tactics to gain initial access to the victim’s device. Following a bombardment of “several thousands of emails,” the target was contacted via MS Teams by the attacker, who claimed to be an employee of an external supplier. The victim was first instructed to download the Microsoft Remote Support application, which failed to install from the Microsoft Store. Subsequently, the attacker guided the user to download AnyDesk and coerced them into entering their credentials into the app.
Shortly after the download, a command was executed to start the AnyDesk application as a local service on the system. This allowed the application to operate with elevated privileges or in an automated manner. Further malicious commands were then executed in the background, gathering detailed information about the system configuration and network interfaces. The attack also involved the execution of executable files and injected processes, ultimately leading to the deployment of the DarkGate payload.
Fortunately, the attack was detected and prevented before any data exfiltration occurred. This incident underscores the evolving nature of social engineering attacks and the importance of organizations implementing security measures to combat such threats. Trend Micro recommended several strategies to address these types of techniques, including thoroughly vetting third-party technical support providers, whitelisting approved remote access tools, integrating multi-factor authentication, and providing employee training to raise awareness about the dangers of unsolicited support calls or pop-ups.
Overall, this incident serves as a cautionary tale about the risks associated with vishing attacks via platforms like Microsoft Teams and the critical need for organizations to enhance their cybersecurity defenses to safeguard against sophisticated malware deployments and unauthorized remote access attempts.
—
Words: 468