Microsoft Teams messages are being used as a vector for a new phishing campaign, designed to trick users into downloading an attachment containing malware.
Starting last month, malicious messages were sent from a couple of compromised Office 365 accounts. They contained a ZIP file called “vacation schedule changes.”
Clicking it will download the file from the SharePoint URL. Inside the compressed file is what looks like a PDF file, but is actually an LNK file with its own dangerous VBScript that carries the malware, known as DarkGate, installed.
Cybersecurity company Truesec launched an investigation into the campaign and found that the download uses Windows cURL to extract the malware code, with the script pre-compiled and the dangerous elements hidden in the middle of the file, to evade detection.
The script also checks if the popular antivirus solution Sophos is installed on the victim’s endpoint. If not, then the additional code is unmasked and the shellcode is launched to trigger the DarkGate executable and load it into system memory.
This is not the first time that Microsoft Teams messages have become a cause for concern. Recently, a bug was found that allowed messages from external accounts to be received in an organization’s inbox, which should not have happened. It looks like this new DarkGate campaign is exploiting this flaw.
Microsoft did not address the error directly; All it does is recommend that organizations create Teams whitelists so that only certain external organizations can communicate with them, or else disable external communications entirely.
DarkGate has been around since 2017, but its use is limited to a few cybercriminals against specific targets. It is a powerful and fully equipped tool, capable of stealing files, browser data, and clipboard content, as well as cryptomining, keylogging and remote control of endpoints.