Attackers Use Microsoft Teams and AnyDesk to Spread DarkGate Malware

Attackers are exploiting Microsoft Teams and AnyDesk in a new social engineering campaign to deploy DarkGate malware. This attack highlights how easily cybercriminals can manipulate users through remote access tools and impersonation tactics.

How the Attack Works

1. Initial Contact: The attacker bombards the target’s email inbox with thousands of messages.
2. Microsoft Teams Impersonation: Posing as an external supplier, the attacker contacts the victim through Microsoft Teams.
3. Remote Access Installation: The attacker persuades the victim to download AnyDesk after failing to install Microsoft Remote Support.
4. Payload Delivery: Using AnyDesk, the attacker gains remote access and installs multiple malicious tools, including a credential stealer and DarkGate malware.

What is DarkGate Malware?

DarkGate is a Remote Access Trojan (RAT) active since 2018. It has evolved into a malware-as-a-service (MaaS) product, sold to a select number of customers. DarkGate’s capabilities include:

• Stealing credentials
• Keylogging
• Capturing screens and audio
• Recording remote desktop sessions

In this case, the malware was delivered using an AutoIt script. Although the attack was blocked before data exfiltration, it shows how attackers use various entry points to spread malware.

---

Growing Threats: Phishing and Social Engineering

The DarkGate attack is part of a broader trend. Cybercriminals are using diverse phishing methods and lures to trick victims:

1. YouTube Campaigns: Attackers impersonate brands and approach creators with fake partnership offers. Clicking links deploys Lumma Stealer malware.
2. QR Code Phishing (Quishing): Emails contain PDF attachments with QR codes that lead to fake Microsoft 365 login pages.
3. Cloudflare Abuse: Attackers create fake Microsoft 365 pages and CAPTCHA checks to steal credentials.
4. HTML Attachments: Malicious HTML disguised as invoices or HR policies contains scripts that redirect users to phishing sites.
5. Trusted Platforms Exploitation: Platforms like DocuSign, Adobe InDesign, and Google AMP are used to send malicious links.
6. WhatsApp Scams: Phishing messages instruct users to install fake banking apps to steal financial data, particularly targeting Indian users.
7. Global Event Exploitation: Cybercriminals capitalize on major events like sports tournaments and product launches. They register domains mimicking official websites to sell fake products and trick users.

---

Defense Strategies for Organizations

To protect against such attacks:

• Enable multi-factor authentication (MFA).
• Allow only approved remote access tools.
• Block unverified applications.
• Vet third-party technical support providers.

Cybersecurity firm Palo Alto Networks advises monitoring domain registrations, textual patterns, DNS anomalies, and change request trends to detect threats early.

By understanding these tactics and improving defenses, organizations can reduce the risk of falling victim to evolving malware and phishing campaigns.