A new threat actor has discovered a voice phishing attack to spread the DarkGate remote access Trojan (RAT) through Microsoft Teams, adding to its existing methods of spreading malware. Researchers at Trend Micro found that attackers used social engineering to convince victims to download AnyDesk tool for remote access after an initial failed attempt to install a Microsoft remote support application.
The attack began with a flood of thousands of phishing emails sent to the victim’s inbox, followed by a Microsoft Teams call claiming to be from a technical support employee. The caller instructed the victim to download Microsoft Remote Support and then eventually AnyDesk via browser. However, installing AnyDesk failed, and the attacker used social engineering tactics to convince the victim to enter their credentials.
Once inside, the attackers loaded multiple suspicious files onto the victim’s machine via a connection established with a command-and-control server, one of which was DarkGate. The RAT enabled remote control over the user’s machine, executed malicious commands, gathered system information, and connected to a C2 server.
This attack demonstrates that threat actors are using yet another delivery method for the malware, in addition to phishing emails, malvertising, hijacking of instant messages, and SEO poisoning. DarkGate has been spreading since 2017 and integrates multiple diverse functions, including remote access software and cryptocurrency mining.
To protect against sophisticated vishing attacks, employees should be trained on signs of a vishing attack, including staying up-to-date with the latest tactics. Organizations also need to thoroughly vet third-party technical support providers, establish cloud-vetting processes for remote access tools, and integrate multifactor authentication to reduce the risk of malicious tools being used to gain control over internal machines.
The incident highlights the importance of employee training and vendor verification in preventing social engineering attacks. By staying informed and taking proactive measures, organizations can strengthen their security posture against evolving threats like DarkGate RAT.
Source: https://www.darkreading.com/cyberattacks-data-breaches/vishing-via-microsoft-teams-spreads-darkgate-rat