
DarkGate RAT Spreads via Microsoft Teams Vishing Attack | Image Source: www.darkreading.com
NEW YORK, June 16, 2024 — According to 𝐃𝐚𝐫𝐤𝐑𝐞𝐚𝐝𝐢𝐧𝐠, cybercriminals have found a new way to propagate the DarkGate remote access Trojan (RAT), this time exploiting Microsoft Teams through a vishing (voice phishing) attack. Researchers at Trend Micro identified this attack vector where hackers combined social engineering with remote access tools to infiltrate a target’s device. The incident highlights the increasing sophistication of vishing attacks as a method of delivering malware like DarkGate.
The attack began with a flood of phishing emails followed by a Teams call masquerading as technical support. The attackers claimed to be from an external supplier, urging the victim to install remote access tools. When their initial attempt with Microsoft’s Remote Support tool failed, the attackers convinced the victim to download 𝐀𝐧𝐲𝐃𝐞𝐬𝐤, a widely used remote access tool, via their web browser. Using AnyDesk, the cybercriminals gained access to the device, loaded multiple suspicious files, and ultimately deployed the DarkGate RAT. The malware was dropped via a PowerShell script using AutoIt, a legitimate Windows scripting tool that is often abused by attackers to evade detection.
A Multistage Vishing Cyberattack
Trend Micro researchers detailed the multistage nature of the attack in their recent findings. It began with thousands of phishing emails delivered to the target’s inbox, setting the stage for follow-up social engineering. The Microsoft Teams call, a less conventional medium for cyberattacks, was presented as a support request, leveraging psychological manipulation to gain trust.
“The attacker instructed the victim to download AnyDesk via browser and manipulate the user to enter her credentials to AnyDesk,” explained Trend Micro researchers Catherine Loveria, Jovit Samaniego, and Gabriel Nicoleta. The successful installation of AnyDesk allowed the attackers to initiate a command-and-control (C2) connection and execute malicious scripts. The DarkGate malware was ultimately deployed, and additional files and registry entries were created to ensure persistence on the victim’s machine.
DarkGate enables full remote control of an infected device, allowing attackers to issue commands, gather system data, and establish further malicious operations. While the attack was halted before any data exfiltration occurred, it revealed yet another effective method for delivering the formidable RAT. This expands the growing list of techniques previously employed by DarkGate actors, including phishing emails, malvertising, SEO poisoning, and hijacking communication platforms like Skype and Teams.
DarkGate’s Capabilities and Global Threat
DarkGate is not new to the cyberthreat landscape, having been active since at least 2017. As a multifunctional malware, it integrates diverse malicious capabilities. According to Trend Micro, the RAT allows attackers to execute remote commands, gather sensitive information, map networks, and exploit directory traversal vulnerabilities. It can also launch Remote Desktop Protocol (RDP), hidden virtual network computing (VNC), and remote access tools such as AnyDesk for covert control.
In addition to its primary functions, DarkGate can escalate privileges, enable keylogging, steal browser data, and even deploy additional payloads, including other RATs like 𝐑𝐞𝐦𝐜𝐨𝐬. Furthermore, the malware supports cryptocurrency mining operations, making it a versatile and dangerous tool in the hands of threat actors. The combination of its advanced functionalities and multiple delivery methods underscores why DarkGate remains a persistent global cyberthreat.
Psychological Tactics in Vishing Attacks
The use of vishing attacks, particularly on platforms like Microsoft Teams, reflects the evolving strategies of cybercriminals. Social engineering lies at the core of vishing, where attackers rely on human trust and coercion to manipulate victims into taking harmful actions. Researchers noted that the Microsoft Teams call was well-orchestrated, mimicking legitimate technical support while exploiting the victim’s willingness to comply with external vendors.
“Vishing attacks are becoming ever more psychologically sophisticated, with attackers even resorting to physical intimidation to coerce victims into complying with demands,” the researchers explained. The success of such attacks hinges on exploiting human error rather than technical vulnerabilities, making user awareness and training essential to organizational defense.
Mitigation Strategies for Organizations
To defend against such advanced vishing attacks and the spread of malware like DarkGate, organizations need to implement robust security measures. According to Trend Micro, employee education remains a critical first step. Training programs should focus on recognizing social engineering tactics, verifying technical support claims, and identifying suspicious communications, particularly those involving remote access tools.
Organizations should also thoroughly vet third-party vendors claiming to offer technical support. “Claims of vendor affiliation should be directly verified before granting remote access to corporate systems,” the researchers advised. This verification process can help prevent unauthorized individuals from manipulating employees into installing malicious tools like AnyDesk.
Moreover, companies are encouraged to establish cloud-vetting processes for remote access tools to ensure they meet security compliance standards. By whitelisting approved tools and blocking unverified applications, businesses can mitigate the risk of malicious software being used as an entry point. Implementing multifactor authentication (MFA) for remote access tools adds an additional layer of security, reducing the likelihood of unauthorized access to internal systems.
“Well-informed employees are less likely to fall victim to social engineering attacks, strengthening the organization’s overall security posture,” the researchers emphasized. Awareness and proactive defenses are crucial as cybercriminals continue to refine their tactics and exploit human vulnerabilities.
As DarkGate actors explore new avenues for spreading malware, such as Microsoft Teams, organizations must remain vigilant. Combining technical solutions with comprehensive user education can help minimize the risk of falling victim to these increasingly sophisticated vishing campaigns.