A recent incident analyzed by Trend Micro’s Managed Detection and Response (MDR) team sheds light on a sophisticated vishing attack that used social engineering via Microsoft Teams to distribute DarkGate malware. The attacker, impersonating a legitimate client’s employee, initiated contact with the victim through Teams, convincing them to download AnyDesk, a remote access tool. The attacker initially attempted to use Microsoft Remote Support, but when that failed, they instructed the victim to download AnyDesk, ultimately gaining remote access to the system.
Once the attacker gained access, they deployed several suspicious files, one of which was identified as Trojan.AutoIt.DARKGATE.D. The malware utilized AutoIt scripting to establish a connection with a potential command-and-control (C&C) server, enabling the attacker to remotely control the system. Commands were executed to gather system information and facilitate the download of further malicious payloads. The malware’s persistence mechanisms were activated, including the creation of registry entries and files, ensuring the attacker’s continued access.
During the course of the attack, malicious files like SafeStore.dll were executed, facilitating the malware’s activity. This allowed the attacker to carry out additional operations, such as data collection and command execution, with the objective of gaining further control over the victim’s system. However, the attack was halted before any exfiltration occurred, thanks to the intervention of cybersecurity measures.
This attack highlights the growing sophistication of social engineering techniques, which exploit trusted communication platforms like Microsoft Teams to trick victims into granting remote access. It underscores the importance of user education, vigilance, and robust cybersecurity protocols to detect such threats early. The use of legitimate software for malicious purposes exemplifies the evolving tactics used by cybercriminals to bypass traditional security defenses.
Reference:
