Full Report
Trend Micro highlighted a case where an attacker posed as a client on an MS Teams call to distribute DarkGate malware
Analysis Summary
# Tool/Technique: DarkGate Malware
## Overview
DarkGate is a sophisticated piece of malware designed for various malicious activities, including data theft, unauthorized access, and system compromise. It is known for its advanced evasion techniques. The observed distribution method involved a social engineering attack leveraging vishing via Microsoft Teams, culminating in the installation of the malware alongside the remote desktop tool AnyDesk.
## Technical Details
- Type: Malware family
- Platform: Windows (Inferred from paths like `C:\Users`)
- Capabilities: Data theft, unauthorized access, system compromise, advanced evasion.
- First Seen: Not specified in the text, but its distribution method is noted as evolving.
## MITRE ATT&CK Mapping
The observed execution chain maps to several techniques related to initial access, execution, persistence, and defense evasion:
- **TA0001 - Initial Access**
- T1566 - Phishing
- T1566.001 - Spearphishing Attachment (Implied in the broader context of phishing distribution, although the final delivery mechanism was vishing/social engineering)
- **TA0002 - Execution**
- T1218 - Signed Binary Proxy Execution
- T1218.011 - Rundll32
- **TA0005 - Defense Evasion**
- T1027 - Obfuscated Files or Information
- (Implied via use of AutoIt3.exe and DLL reflection/loading)
- T1036 - Masquerading
- (Inferred from process injection into `MicrosoftEdgeUpdateCore.exe`)
- **TA0003 - Persistence**
- T1547 - Boot or Logon Autostart Execution
- (Inferred from creation of a registry entry for persistence)
## Functionality
### Core Capabilities
- Deploying malicious payloads on victim systems.
- Gathering system configuration and network interface details.
- Establishing Command and Control (C2) communication.
- Maintaining persistence post-installation.
### Advanced Features
- Utilizes legitimate remote desktop software (AnyDesk) to gain initial access and potentially move laterally or elevate privileges.
- Employs process injection into a legitimate process (`MicrosoftEdgeUpdateCore.exe`) to hide malicious activity and establish C2 connection.
- Uses components like `script.a3x` and `AutoIt3.exe` to evade detection before injecting the final DarkGate script into memory.
- Deploys component DLLs (e.g., `SafeStore.dll`) which may interact with user credentials via a login prompt, even if credentials are not entered.
## Indicators of Compromise
- File Hashes: [Not provided in the article]
- File Names: `AnyDesk.exe`, `SafeStore.dll`, `SystemCert.exe`, `script.a3x`, `AutoIt3.exe`
- Registry Keys: [One registry entry created for persistence, specific details not provided]
- Network Indicators: Connections observed from the injected process (`MicrosoftEdgeUpdateCore.exe`) to a C2 server (C2 details defanged/not provided).
- Behavioral Indicators: Execution of `C:\Users\Downloads\AnyDesk.exe` as a local service; invocation of `cmd.exe` to execute `rundll32.exe` loading `SafeStore.dll`; execution of `SystemCert.exe`; execution chain leading to process injection into `MicrosoftEdgeUpdateCore.exe`.
## Associated Threat Actors
- Threat Actor using **Vishing via MS Teams** (Reported by Trend Micro).
- Not explicitly tied to historically named APT groups in this context, but associated with groups that favor rapid adoption of new distribution vectors.
## Detection Methods
- Signature-based detection: (Requires signatures for DarkGate binaries, `SafeStore.dll`, etc.)
- Behavioral detection: Monitoring the execution chain: unsolicited remote tool download -> execution as a service -> loading of unusual DLLs (`SafeStore.dll`) via `rundll32.exe` -> process injection into system processes like `MicrosoftEdgeUpdateCore.exe`.
- YARA rules: [Not provided in the article]
## Mitigation Strategies
- Thoroughly vet third-party technical support providers; directly verify claims of vendor affiliation *before* granting remote access.
- Whitelist approved remote access tools and block any unverified applications.
- Integrate Multi-Factor Authentication (MFA) on all remote access tools.
- Employee training emphasizing the dangers of unsolicited support calls (vishing) or pop-ups.
## Related Tools/Techniques
- **AnyDesk:** Used as a delivery mechanism to establish initial remote access.
- **Microsoft QuickAssist:** Mentioned in context of a similar vishing attack delivering ransomware, indicating a pattern of social engineering for remote access.
- **AutoIt3.exe:** Used as part of the evasion chain to execute scripts/payloads.
---
# Tool/Technique: Vishing via Microsoft Teams
## Overview
This technique involves an attacker using Voice over IP (Vishing) communication, specifically leveraging Microsoft Teams, combined with social engineering to deceive a target user into downloading and executing malicious software, ultimately leading to malware deployment (in this case, DarkGate).
## Technical Details
- Type: Technique (Social Engineering/Initial Access)
- Platform: Platform agnostic for the delivery method (reliance on MS Teams client), but execution targets Windows.
- Capabilities: Bypassing traditional email security filters, leveraging a trusted communication platform (MS Teams) to build rapport, and coercing users into granting remote access.
- First Seen: Observed in this context in late 2024, showing an evolving attack trend.
## MITRE ATT&CK Mapping
- **TA0001 - Initial Access**
- T1566 - Phishing
- T1566.004 - Spearphishing Link (Applicable if links were used, but Vishing is the primary vector here)
- **TA0001 - Initial Access**
- T1190 - Exploit Public-Facing Application (Less direct, but relates to exploiting trust in organizational platforms)
- **TA0001 - Initial Access**
- T1566.005 - Spearphishing via Service (Leveraging MS Teams)
## Functionality
### Core Capabilities
- Impersonating trusted entities (e.g., employees of a known supplier) during a scheduled or spontaneous call.
- Applying immediate social pressure to expedite the victim's actions.
- Directing victims to download and install unauthorized remote access software (e.g., AnyDesk).
### Advanced Features
- Chain execution flow: Initial contact (flooding emails) followed by direct voice contact (Vishing) to apply pressure, overriding skepticism.
- Successful manipulation to bypass standard security procedures (e.g., store installation failure leading to direct executable download).
## Indicators of Compromise
- File Hashes: [N/A for the technique itself]
- File Names: [N/A for the technique itself, but relies heavily on tools like `AnyDesk.exe`]
- Registry Keys: [N/A for the technique itself]
- Network Indicators: Voice/video traffic related to the malicious MS Teams session.
- Behavioral Indicators: Unsolicited contact requesting urgent installation of support tools or execution of remote access software.
## Associated Threat Actors
- Threat Actor utilizing DarkGate distribution.
- Actors referenced by researchers as employing similar vishing/remote access tactics (e.g., those distributing ransomware via QuickAssist).
## Detection Methods
- Signature-based detection: [Not directly applicable to the Vishing call itself]
- Behavioral detection: Monitoring anomalies in user behavior, such as receiving assistance requests from unexpected contacts or downloading unauthorized remote software immediately following a voice call.
- YARA rules: [N/A]
## Mitigation Strategies
- Implement rigorous policies requiring verification (e.g., call-back through known channels) for any request involving remote access, regardless of the communication platform (Teams, phone, etc.).
- Employee training specifically addressing Vishing and the manipulation inherent in unsolicited technical support requests.
- Technical controls to block or restrict the installation of unapproved remote desktop tools.
## Related Tools/Techniques
- AnyDesk (Tool used for access)
- QuickAssist (Alternative remote access tool mentioned in connection with similar vishing attacks)