A thwarted attack demonstrates that threat actors are using another delivery method for the malware, which has already been spread using phishing emails, malvertising, hijacking instant messages, and SEO poisoning. The DarkGate remote access Trojan (RAT) has a new attack vector: A threat actor targeted a Microsoft Teams user via a voice call to gain access to their device. Researchers said the attack adds to the other methods for spreading the RAT, which previously has been propagated using phishing emails, malvertising, hijacking of Skype and Teams messages, and search engine optimization (SEO) poisoning.
See: https://redskyalliance.org/xindustry/darkgate-rat-update
Researchers discovered the voice phishing, or vishing, attack, in which an attacker initially tried to install a Microsoft remote support application to gain access to the user's device, they revealed in a recent blog post. While this failed, the cyber attackers used social engineering to convince the victim to download the AnyDesk tool for remote access, which they eventually achieved.
The attacker loaded multiple "suspicious files" onto the victim's machine via a connection established to a command-and-control (C2) server, one of which was DarkGate. The
RAT, distributed as usual via an AutoIt script, enabled remote control over the user's machine, executed malicious commands, gathered system information, and connected to a command-and-control (C2) server.
The multistage attack started in a more typical DarkGate way, through thousands of phishing emails sent to the victim's inbox. Microsoft followed up on the emails.
Teams called purportedly for technical support, which kicked off the vishing attack. The caller claimed to be an employee of an external supplier of the victim's company needing assistance and instructed the victim to download the Microsoft Remote Support application.
"However, the installation via the Microsoft Store failed," Trend Micro researchers Catherine Loveria, Jovit Samaniego, and Gabriel Nicoleta wrote in the post. “The attacker then instructed the victim to download AnyDesk via browser and manipulate the user to enter her credentials to AnyDesk."
The attacker used AnyDesk to set up a communication channel to C2, initiate various malicious scripts, and eventually a PowerShell command to drop DarkGate using the
Autoit is a legitimate Windows automation and scripting tool favored by attackers for obfuscation and defense evasion. After installation, the attack also loaded files and a registry entry for persistence.
While ultimately the attack was stopped before data could be exfiltrated from the victim's machine, it demonstrates DarkGate actors using yet another means to spread the formidable RAT, adding to a long list of previously used delivery methods, the researchers said.
DarkGate has been used to target users worldwide since at least 2017 and integrates multiple diverse and malicious functions. Its capabilities include executing commands for gathering system information, mapping networks, doing directory traversal, and launching Remote Desktop Protocol (RDP), hidden virtual network computing, AnyDesk, and other remote access software. DarkGate also has features to support cryptocurrency mining, keylogging, privilege escalation, and stealing information from browsers. It is even known to carry additional payloads, including other RATs like Remcos.
Vishing attacks are becoming ever more psychologically sophisticated, with attackers even resorting to physical intimidation to coerce victims into complying with demands.
Training employees on signs of a vishing attack, including staying current on the latest tactics, is becoming increasingly important as these attacks escalate. "Well-informed employees are less likely to fall victim to social engineering attacks, strengthening the organization’s overall security posture," the researchers wrote.
Organizations also should "thoroughly vet third-party technical support providers" to "ensure that any claims of vendor affiliation are directly verified before granting remote access to corporate systems, the researchers wrote. Moreover, they should establish cloud-vetting processes to evaluate and approve remote access tools, such as AnyDesk, to assess security compliance and vendor reputation before using them.
Whitelisting approved remote access tools, blocking unverified applications, and integrating multifactor authentication (MFA) on remote access tools reduces "the risk of malicious tools being used to gain control over internal machines," the researchers reported.
This article is shared at no charge and is for educational and informational purposes only.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. We provide indicators of compromise information via a notification service (RedXray) or an analysis service (CTAC). For questions, comments, or assistance, please get in touch with the office directly at 1-844-492-7225 or feedback@redskyalliance.com
• Reporting: https://www.redskyalliance.org/
• Website: https://www.redskyalliance.com/
• LinkedIn: https://www.linkedin.com/company/64265941
Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings
https://register.gotowebinar.com/register/5378972949933166424
https://www.darkreading.com/cyberattacks-data-breaches/vishing-via-microsoft-teams-spreads-darkgate-rat
© 2024 Red Sky Alliance Corporation. All rights reserved.
Comments