Researchers have reported a new phishing campaign targeting Microsoft Teams messages that sends malicious attachments which lead to the DarkGate loader malware being downloaded.
The malware, used since 2017, was identified in August after MS Teams users reported suspicious phishing messages sent by external accounts. The messages were HR-related (pertaining to annual leave changes) and coaxed users to open a ZIP file to check the “changes”.
The ZIP file is hosted on a SharePoint domain and contains an .LNK file masquerading as a PDF document.
After analysis, researchers found that the file contained malicious VBScript which would start the infection chain resulting in the DarkGate malware payload being deployed.
The malware was initially only used by the developer but has recently been seen for rent online. The author has been seen selling access to the malware to a limited ten people, for a price ranging from $1000 for one day, $15,000 for a month, or $100,000 for a year’s subscription.
The malware supports a number of activities including crypto mining, keylogging, information stealing and remote access.
The recent increase in activity related to this malware may be due to the uptake of affiliates buying access to it.
Phishing within Microsoft Teams, however, is not new. Researchers from JumpSec, a cyber security consulting company, reported a bug within Teams which allows malware to bypass security controls.
Phishing remains a primary attack vector for threat actors with over 3 billion malicious emails sent every day.
Combined with this, malware loaders are a becoming increasingly common. Users of Teams should exercise caution to unexpected or unusual messages and pay close attention to the senders and content before interacting with links or attachments.
Reporting
Report all Fraud and Cybercrime to Action Fraud by calling 0300 123 2040 or online. Forward suspicious emails to report@phishing.gov.uk. Report SMS scams by forwarding the original message to 7726 (spells SPAM on the keypad).
Click to Open Code Editor