Teams used as a landing pad for malware (2023)
Recently, companies have been seeing the abuse of Teams as a landing pad for malware.
A recent phishing campaign is exploiting Microsoft Teams messages to distribute DarkGate Loader malware. This campaign began in August 2023 when compromised Office 365 accounts sent phishing messages to other organizations through Microsoft Teams. The messages contained a malicious ZIP file named “Changes to the vacation schedule,” which, when opened, triggered a download from a SharePoint URL and executed a disguised LNK file as a PDF.
Researchers at Truesec analyzed the campaign and found it utilized VBScript to deliver the DarkGate Loader. To avoid detection, it used Windows cURL to fetch the malware files. The script checked for Sophos antivirus software and, if absent, deobfuscated code and initiated the shellcode to construct and load DarkGate into memory.
This Microsoft Teams phishing method aligns with a June 2023 report by Jumpsec, highlighting the potential for abuse. Microsoft’s response has been to recommend secure configurations and disable external access if unnecessary. While DarkGate had limited use, it has resurfaced with expanded capabilities, including remote access, cryptocurrency mining, keylogging, and data theft..
As a reminder.. DON’T download that suspicious file you think could be legit! Always check who the sender is and if you have any relation to them!
Comments will appear here when deployed.