Full Report
A new social engineering campaign has leveraged Microsoft Teams as a way to facilitate the deployment of a known malware called DarkGate. "An attacker used social engineering via a Microsoft Teams call to impersonate a user's client and gain remote access to their system," Trend Micro researchers Catherine Loveria, Jovit Samaniego, and Gabriel Nicoleta said. "The attacker failed to install a
Analysis Summary
# Tool/Technique: DarkGate
## Overview
DarkGate is a Remote Access Trojan (RAT) that has evolved into a Malware-as-a-Service (MaaS) offering. It is used for credential theft, surveillance, and providing remote access to victim systems. It has recently been observed being deployed via social engineering campaigns utilizing Microsoft Teams for initial access.
## Technical Details
- Type: Malware family (RAT)
- Platform: Likely Windows (inferred from common RAT targets and usage context)
- Capabilities: Credential theft, keylogging, screen capturing, audio recording, remote desktop access.
- First Seen: Actively used in the wild since 2018.
## MITRE ATT&CK Mapping
*Note: Specific execution chains are mentioned, but the core malware capabilities map generally:*
- **TA0001 - Initial Access**
- T1190 - Exploit Public-Facing Application (While not strictly an exploit, the deployment relies on initial access mechanisms.)
- T1566 - Phishing
- T1566.001 - Spearphishing Attachment (When delivered via scripts)
- **TA0005 - Defense Evasion**
- T1027 - Obfuscated Files or Information (Via use of AutoIt/AutoHotKey scripts)
- **TA0003 - Persistence** (Inferred for a RAT)
- **TA0011 - Command and Control** (Inferred for a RAT)
- **TA0009 - Collection**
- T1003 - OS Credential Dumping
- T1056 - Input Capture
- T1056.001 - Keylogging
- T1113 - Screen Capture
## Functionality
### Core Capabilities
- Establishing remote access (RAT functionality).
- Capturing user input (keylogging).
- Capturing visual and auditory data (screen capture, audio recording).
- Stealing credentials from the compromised system.
### Advanced Features
- Evolved into a Malware-as-a-Service (MaaS) model with a tightly controlled customer base.
- Distribution often relies on obfuscated scripts, historically AutoIt or AutoHotKey, but recently deployed via AutoIt scripts in the examined campaign.
## Indicators of Compromise
*Note: Specific file hashes, registry keys, and network indicators were not provided in the text for DarkGate itself, only the delivery mechanism.*
- File Hashes: [Not specified in context]
- File Names: [Associated file names would be related to the final payloads or the AutoIt/AutoHotKey scripts used for initial execution]
- Registry Keys: [Not specified in context]
- Network Indicators: [C2 addresses not specified in context]
- Behavioral Indicators: Execution chains beginning with interaction initiated via social engineering (Microsoft Teams) leading to the download/execution of legitimate remote access software (AnyDesk) followed by payload delivery.
## Associated Threat Actors
- Threat actors utilizing the DarkGate MaaS platform.
## Detection Methods
- Signature-based detection: Signatures for the DarkGate binaries.
- Behavioral detection: Detection routines targeting the behaviors associated with its capabilities (e.g., abnormal connections from remote access tools like AnyDesk, credential dumping attempts).
- YARA rules: [Not specified in context]
## Mitigation Strategies
- Enable Multi-Factor Authentication (MFA).
- Create an allowlist for approved remote access tools (e.g., strictly controlling use of AnyDesk).
- Block unverified/unapproved applications from execution.
- Thoroughly vet third-party technical support providers to mitigate vishing/social engineering risks originating from communication platforms like Microsoft Teams.
## Related Tools/Techniques
- AnyDesk (Used as a tool during the delivery/access phase in the examined incident).
- AutoIt/AutoHotKey scripts (Used as distribution wrappers/droppers).
- Lumma Stealer (Mentioned in relation to separate phishing campaigns).
---
# Tool/Technique: AnyDesk
## Overview
AnyDesk is a legitimate, widely used remote desktop software application. In this context, it was leveraged by threat actors after gaining initial access via social engineering (Microsoft Teams) to establish a remote foothold on the victim's system for payload delivery.
## Technical Details
- Type: Tool (Legitimate Remote Access Software used maliciously)
- Platform: Cross-platform (Windows, macOS, Linux, mobile)
- Capabilities: Remote desktop control, file transfer, remote administration.
- First Seen: N/A (Commercial product)
## MITRE ATT&CK Mapping
- **TA0010 - Command and Control**
- T1090 - Proxy
- T1090.003 - Domain Fronting (If leveraged for C2, though typically the legitimate application traffic masks C2)
- **TA0001 - Initial Access** / **TA0007 - Discovery** (Facilitates subsequent steps)
## Functionality
### Core Capabilities
- Providing interactive, remote graphical interface access to the host machine.
### Advanced Features
- Used here as a delivery vehicle/backdoor after initial social engineering success, bypassing application control policies that might flag custom malware C2, as AnyDesk traffic is usually permitted.
## Indicators of Compromise
*Note: Since AnyDesk is legitimate, detection focuses heavily on unauthorized invocation or context.*
- File Hashes: [N/A, associated with legitimate installers]
- File Names: AnyDesk.exe, or related components.
- Registry Keys: [Standard AnyDesk keys]
- Network Indicators: Traffic matching known AnyDesk client/server protocols (often using obfuscated ports/protocols but identifiable signatures).
- Behavioral Indicators: Unauthorized installation or execution of AnyDesk by an end-user following remote instruction, especially outside of established IT protocols, or the subsequent unauthorized malware payloads delivered immediately following an AnyDesk session.
## Associated Threat Actors
- Threat actors deploying DarkGate, or any group leveraging social engineering for legitimate remote access tool installation.
## Detection Methods
- Signature-based detection: Signatures for the AnyDesk executable, if necessary.
- Behavioral detection: Monitoring for installation or launch of unauthorized remote access tools following external communication (like Teams calls) perceived as support/vendor interaction.
- YARA rules: [Not specified in context]
## Mitigation Strategies
- Allowlist approved remote access tools only.
- Block unverified application installations.
- Implement user training to recognize social engineering attempts instructing them to download or run remote support software.
## Related Tools/Techniques
- Remote Access Trojan (RAT) activity (The objective achieved by using AnyDesk).
- Microsoft Teams (The communication vector for the social engineering).