Starting last month, the malicious messages were being sent from a couple of compromised Office 365 accounts. They contained a ZIP file called “changes to the vacation schedule.”
Clicking on this will download the file from a SharePoint URL. Inside the compressed file is what looks like a PDF file, but is actually a LNK file which itself contains dangerous VBScript that leads to the malware, known as DarkGate, being installed.
Cybersecurity firm Truesec launched an investigation into the campaign and found that the download makes use of Windows cURL to fetch the malware’s code, with the script being pre-compiled and the dangerous elements hidden in the middle of the file, in order to evade detection.
The script also checks to see whether popular antivirus solution Sophos is installed on the victim’s endpoint. If it isn’t, then additional code is unmasked and shellcode is launched to trigger the DarkGate executable and load it into the system memory.
This is not the first time Microsoft Teams messages have been a cause for concern. Recently, a bug was found which allowed messages from external accounts to be received into an organization’s inbox, which is not supposed to happen. It looks as if this new DarkGate campaign is making use of this flaw.
Microsoft has not addressed the flaw directly; all it has done is recommend that organizations make allow-lists in Teams so that only certain external organizations can communicate with them, or else disable external communications altogether.
DarkGate has been around since 2017, but its use has been restricted to only a handful of cybercriminals against specific targets. It is a powerful and all-encompassing tool, capable of stealing files, browser data, and clipboard contents, as well as cryptomining, keylogging and remote control of endpoints.