Microsoft Teams messages are being used as a vector for a new phishing campaign, designed to trick users into downloading a malware attachment.
Starting last month, the malicious messages were sent from a number of compromised Office 365 accounts. They contain a ZIP file called “vacation schedule changes.”
Clicking this will download the file from a SharePoint URL. Inside the compressed file is what looks like a PDF file, but it is actually an LNK file that itself contains dangerous VBScript that leads to the malware known as DarkGate being installed.
Dark Gate
Cyber security company Truesec launched an investigation into the campaign and discovered that the download uses Windows cURL to retrieve the malware’s code, with the script pre-compiled and dangerous elements hidden in the middle of the file to evade detection.
The script also checks whether the popular antivirus solution Sophos is installed on the victim’s endpoint. If not, additional code is exposed and shellcode is launched to activate the DarkGate executable and load it into system memory.
This isn’t the first time Microsoft Teams messages have raised concerns. Recently, a bug was found that allowed messages from external accounts to be received in an organization’s inbox, which is not intended. It appears that this new DarkGate campaign is taking advantage of this flaw.
Microsoft hasn’t addressed the bug directly; all it has done is recommend that organizations create allow lists in Teams so that only certain external organizations can communicate with them, or else disable external communications altogether.
DarkGate has been around since 2017, but its use is limited to only a handful of cybercriminals against specific targets. It is a powerful and all-encompassing tool capable of stealing files, browser data and clipboard contents, as well as enabling crypto mining, keylogging and remote control of endpoints.