Hackers Leverage Microsoft Teams To Deploy Malware

A recent cybersecurity breach revealed how a social engineering attack, leveraging voice phishing (vishing) through Microsoft Teams, enabled a malicious actor to deploy DarkGate malware on a victim’s system.

The attack, analyzed by Trend Micro’s Managed Detection and Response (MDR) team, highlights the evolving nature of cyber threats and the critical need for robust defense strategies. The attack began when the victim received several thousand emails before an attacker posing as a client representative called via Microsoft Teams.

The impersonator instructed the victim to download the Microsoft Remote Support application, but after this installation attempt failed, the attacker successfully convinced the victim to download AnyDesk, a legitimate remote desktop tool.

The attacker then guided the victim to enter their credentials, granting unauthorized access to the system.

Once inside the system, the attacker dropped multiple suspicious files, one of which was identified as Trojan.AutoIt.DARKGATE.D, initiating a series of commands. This led to the connection with a potential command-and-control (C&C) server, enabling the attacker to execute further malicious actions.

Although the attack was halted before any data exfiltration occurred, it underscored several vulnerabilities in remote access management and social engineering tactics.

The attacker used AutoIt scripts to gain remote control of the victim’s machine, executing commands to gather system information and establish a more persistent foothold.

Notably, the AutoIt3.exe process executed a series of commands that downloaded additional malware, including scripts that attempted to connect to external IPs. The malware was designed to avoid detection by searching for antivirus products and creating multiple random files to obscure its presence.

The ultimate goal of the attack appeared to be the installation of a final DarkGate payload. This payload would have further enabled the attacker to control the victim’s system and potentially exfiltrate sensitive data. However, the attack was detected in time, preventing the attacker from achieving their objective.

To defend against such attacks, experts recommend organizations vet third-party technical support providers thoroughly. Remote access tools, like AnyDesk, should be whitelisted and monitored, with multi-factor authentication (MFA) enabled to prevent unauthorized access.

Additionally, employees should receive regular training to recognize social engineering tactics and phishing attempts, which remain a key vector for cyberattacks.