It’s true: Microsoft Teams group chat requests can be bad for you, because hackers hijack them to spread malware
Hackers are abusing a group chat feature in Microsoft Teams videoconferencing software to plant malware on people’s computers, researchers have warned.
Cybersecurity experts at AT&T Cybersecurity said a threat actor was observed using a compromised Teams user or domain to send more than 1,000 Teams group chat invitations.
Anyone who accepts the invite will see a file titled “Navigating Future Changes October 2023.pdf.msi” – and those with a keen eye will notice that the file pretends to be a PDF, but is actually an MSI file is – a Windows Installer package that delivers the DarkGate malware.
Human error
According to researchers at Trellix, DarkGate is a Remote Access Trojan (RAT) that was first discovered in 2018. It allows attackers to completely compromise victim systems and is marketed by a threat actor as malware-as-a-service (MaaS) . actor under the alias RastaFarEye.
The hackers were able to send out so many invites thanks to a feature that allows remote Microsoft Teams users to send standard messages to the users of other tenants.
“Unless absolutely necessary for daily business use, disabling remote access in Microsoft Teams is advisable for most businesses, as email is generally a more secure and controlled communications channel,” said AT&T Cybersecurity’s researcher Peter Boyle in the announcement.
“As always, end users should be trained to pay attention to where unsolicited messages are coming from and reminded that phishing can take many forms beyond the typical email.”
BleepingComputer claims that there were similar DarkGate campaigns last year, where hackers took advantage of compromised remote Office 365 accounts and Skype accounts to send messages with a VBA loader script attached. The publication also claims that many threat actors turned to DarkGate after Quakbot’s demise. Microsoft Teams is currently one of the most popular communication and collaboration platforms in the world, with approximately 280 million active monthly users.