In the ever-evolving landscape of cybersecurity threats, a new phishing scam dubbed “DarkGate Loader” has emerged, specifically targeting Microsoft Teams users. This malicious campaign has recently come to light, and its deceptive tactics make it a serious concern for individuals and organizations using the collaboration platform.
Identifying the DarkGate Loader Phishing Scam
The DarkGate Loader phishing scam is characterized by a cunning approach. Victims receive a message with a link bearing the innocuous title “changes to the vacation schedule.” Unsuspecting individuals who click on this link are directed to download corresponding .ZIP files, unknowingly exposing themselves to malware.
A Closer Look at DarkGate Loader
The cybersecurity research team at Truesec has been closely monitoring DarkGate Loader since late August. What makes this threat particularly insidious is its sophisticated downloading process, which conceals its malicious intent.
Hackers behind this campaign have employed compromised Office 365 accounts to distribute malware-infected messages through Microsoft Teams. Truesec’s investigation has uncovered the compromised accounts used by the hackers, including “Akkaravit Tattamanas” (63090101@my.buu.ac.th) and “ABNER DAVID RIVERA ROJAS” (adriverar@unadvirtual.edu.co).
The Malware and its Deceptive Techniques
DarkGate Loader comprises an infected VBScript concealed within an LNK file, a Windows shortcut. The phishing scam is designed to mislead users effectively. One tactic it employs is a SharePoint URL, making it challenging for users to recognize the file as malicious. Additionally, the code is embedded within a precompiled Windows cURL script, further obfuscating its intent.
The Functionality of DarkGate Loader
Once a victim’s system is compromised, DarkGate Loader proceeds to identify whether the antivirus software Sophos is installed. If it’s not detected, the malware initiates an “attack” known as “stacked strings.” This process injects additional code, enabling the execution of a shellcode that creates a DarkGate executable, which loads into the system memory.
Microsoft Teams Facing Persistent Threats
DarkGate Loader isn’t the only phishing scam targeting Microsoft Teams users. This summer, a group of Russian hackers known as “Midnight Blizzard” exploited social engineering tactics to target approximately 40 organizations. They leveraged Microsoft 365 accounts from small businesses that had already faced security challenges and posed as technical support personnel. Microsoft has since taken steps to address this issue.
A History of Phishing Scams and Cybersecurity Challenges
In the realm of cybersecurity, phishing scams are a recurring challenge. Just last fall, business email compromise (BEC) campaigns were prevalent. These scams involve malicious actors impersonating company executives to deceive employees into transferring funds. Additionally, a notable exploit called “Follina” was discovered, allowing hackers to gain access to the Microsoft Support Diagnostic Tool associated with Microsoft Office and Microsoft Word.
As the cybersecurity landscape continues to evolve, it’s imperative for individuals and organizations to remain vigilant, employ best practices for online security, and stay informed about emerging threats like DarkGate Loader. Regularly updating security software, educating users about potential threats, and practicing caution when clicking on links and downloading files are essential steps in mitigating the risks posed by these evolving threats.