Microsoft Teams used to deliver DarkGate Loader malware

Researchers have found a new method by which cybercriminals are spreading the DarkGate Loader malware. Until now, DarkGate was typically distributed via phishing emails. The malspam campaign used stolen email threads to lure victims into clicking a hyperlink, which downloaded the malware. But Malwarebytes also found DarkGate reloaded via malvertising and SEO poisoning campaigns.

A cybercriminal who goes by the handle RastaFarEye has been advertising DarkGate Loader on cybercrime forums since June 16, 2023. Once active, the malware can be used for several malicious activities like remote access, cryptocurrency mining, keylogging, clipboard stealing, and information stealing.

What’s new is that the researchers found evidence of a campaign using Microsoft Teams to deliver the DarkGate Loader.

“On August 29, in the timespan from 11:25 to 12:25 UTC, Microsoft Teams chat messages were sent from two external Office 365 accounts compromised prior to the campaign. The message content aimed to social engineer the recipients into downloading and opening a malicious file hosted remotely.”

The distributed link initially points to a traffic distribution system (TDS). If the requirements set by the attacker are met, the TDS will redirect the victim user to the final payload URL for the MSI download. When the user opens the downloaded MSI file, the DarkGate infection is triggered.

The download locations observed in the Teams attacks were sharepoint.com URLs hosting .zip files with names like “Changes to the vacation schedule.zip.”  The ZIP file contains a malicious LNK file (shortcut) posing as a PDF document: “Changes to the vacation schedule.pdf.lnk.”

Clicking the shortcut executes a command line which triggers the download and execution of a renamed cURL (a command-line tool for getting or sending data including files using URL syntax) to download and execute Autoit3.exe and a bundled script. The pre-compiled AutoIT script hides the code in the middle of the file and, on execution, drops a new file that contains shellcode.

When the shellcode is run, the first thing it uses is the “byte by byte” technique aka called stacked strings, to create a new file: a Windows executable identified as DarkGate Loader.

Protection

Current Microsoft Teams security features such as Safe Attachments or Safe Links failed to detect or block this attack. BleepingComputer reported in June of 2023 that security researchers had found a simple way to deliver malware to an organization with Microsoft Teams, despite restrictions in the application for files from external sources. Microsoft Teams has client-side protections in place to block file delivery from external tenant accounts. But the restriction can be circumvented by changing the internal and external recipient ID in the POST request of a message, which ends up with Teams treating an external user as if it was an internal one.

The only way to prevent this attack vector within Microsoft Teams is to only allow Microsoft Teams chat requests from specific external domains. This may be troublesome in some environments since this means that all trusted external domains need to be whitelisted by an IT administrator.

ThreatDown customers are protected against this attack as ThreatDown blocks the C2 server hosting the downloaded files. ThreatDown detects the LNK file and the scripts as Trojan.DarkGate.


We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading ThreatDown today.