VTA-004465 – DarkGate Loader Malware Infiltrates Systems via Microsoft Teams
DarkGate Loader is a modular malware loader that can be used to deliver a variety of other malware, such as ransomware, trojans, and backdoors. It is typically delivered via malspam campaigns, but it has also been seen being delivered via Microsoft Teams.
In the Microsoft Teams attack, the threat actor sends a chat message to the victim from a compromised account. The message contains a malicious link or attachment. When the victim clicks on the link or opens the attachment, the DarkGate Loader is downloaded and executed.
The DarkGate Loader then connects to a command-and-control (C&C) server and receives instructions. The malware can then be used to steal data, install other malware, or take control of the victim’s computer.
The DarkGate Loader malware campaign can have a significant impact on organizations. The malware can steal sensitive data, such as financial information, customer data, or intellectual property. It can also be used to install other malware, such as ransomware, which can encrypt files and demand a ransom payment to decrypt them.
Severity:
Medium
Attack Surfaces:
Email, Endpoint, Messaging, Office 365
Tactics:
Credential Access, Discovery, Execution, Initial Access, Reconnaissance
Techniques:
T1027 – Obfuscated Files or Information
T1113 – Screen Capture
T1547 – Boot or Logon Autostart Execution
Indicator of Compromise:
https://otx.alienvault.com/pulse/65023ae8b4f3f97ee2be416d
References:
https://www.truesec.com/hub/blog/darkgate-loader-delivered-via-teams
SuperPRO’s Threat Countermeasures Procedures:
1. Be careful about clicking on links or opening attachments in emails or chat messages from unknown senders.
2. Keep your software up to date, including your operating system, web browser, and antivirus software.
3. Use a strong password and enable multi-factor authentication for your online accounts.
4. Back up your data regularly so that you can restore it if it is lost or corrupted.
5. Enable firewall to block unauthorized traffic from entering your computer.
6. Be careful about what websites you visit and what files you download.
7. Restrict Microsoft Teams chat requests to be permitted exclusively from particular external domains.
8. Run antivirus frequently on devices to detect any suspicious activities.
9. Implement Microsoft’s Safe Attachments feature.
Contributed by: Varrumen