In the minds of most Internet users, phishing attempts are made via a malicious email or SMS, or via social network messaging. But there is another method used by hackers, more sneaky, this time exploiting the external access functionality of Microsoft Teams. A method that allows members of an organization to add any external people.
More than 1000 malicious Teams invitations
The research team of service provider AT&T Cybersecurity identified, in a report made public on Tuesday January 30, more than 1,000 malicious Teams group chat invitations, from a corrupted username or domain. Their client raised the alarm after an external user initiated unsolicited chats.
In practice, once the intended recipients accepted the chat request, the hackers tricked them into downloading a double-extended file, titled “Upcoming Navigation Changes October 2023.pdf.msi”. After the user installs this file, the malware connects to their command and control (C2C) server at hgfdytrywq(dot)com. In this scenario, passwords were immediately reset and infected user accounts isolated.
This domain, along with the double file extension, was spotted in October by cybersecurity firm Palo Alto Networks as affiliated with the DarkGate malware infrastructure. At the end of August, a phishing campaign had already taken place on Microsoft Teams, encouraging people to open a ZIP file entitled “Changes in the vacation calendar”. Behind a PDF file, apparently, was actually a .lnk file (file shortcuts). The latter contained malicious scripting language, triggering the infection chain necessary to install the DarkGate malware.
Remote control, keylogger and data theft
Appeared in 2017, the DarkGate malware acts in different ways, such as remote control via a hidden VNC (Virtual Network Computing), recording keyboard input with a keylogger, and has a reverse proxy, which hides the characteristics of the servers owned by the hackers.
Last summer, Russian cybersecurity company Kaspersky also discovered a feature in DarkGate malware to block the default Microsoft Defender antivirus. The software can also steal data, and collect the contents of browsing history and clipboard immediately after infection. Finally, in October 2023, researchers linked the malware to a group of hackers based in Vietnam, targeting Meta business accounts in the UK, US and India.
To prevent these attempts from happening again, AT&T Cybersecurity recommends disabling external access in Microsoft Teams, “unless absolutely necessary for professional use”. The company also insists on better training of teams on the origin of messages and on phishing techniques.
Selected for you