Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Microsoft Teams. Show all posts

Compromised Skype Accounts Facilitate DarkGate Malware Spread

 

Cyber attackers wielding the DarkGate malware have utilized compromised Skype accounts as a vector to infiltrate targets between July and September. They accomplished this by dispatching messages with VBA loader script attachments. 

Trend Micro's security researchers, who detected these attacks, noted that this script is responsible for fetching a second-stage AutoIT script. This script, in turn, is tailored to deploy the final DarkGate malware payload.

Trend Micro explained that gaining access to the victim's Skype account provided the attacker with the ability to take control of an ongoing messaging thread. This allowed them to manipulate the naming of files to align with the context of the conversation. 

Although the means by which the initial accounts of instant messaging applications were compromised remains unclear, it is theorized to have occurred either through leaked login credentials available on underground forums or as a consequence of a prior breach of the parent organization.

Furthermore, Trend Micro observed instances where DarkGate operators attempted to deliver their malware payload through Microsoft Teams. This occurred in organizations where the service was set up to accept messages from external users. 

Previously, Truesec and MalwareBytes had identified phishing campaigns targeting Microsoft Teams users. These campaigns utilized malicious VBScript to deploy the DarkGate malware. The attackers targeted users via compromised Office 365 accounts outside their respective organizations and leveraged a tool named TeamsPhisher. 

This tool enabled the bypassing of restrictions on incoming files from external sources, enabling the transmission of phishing attachments to Teams users. The ultimate objective remained infiltrating the entire environment. Depending on the specific threat group employing the DarkGate variant, the threats ranged from ransomware to cryptomining.

Trend Micro's telemetry data indicated that DarkGate frequently led to the detection of tools commonly associated with the Black Basta ransomware group.

The proliferation of the DarkGate malware loader for initial access into corporate networks has been on the rise, especially following the dismantling of the Qakbot botnet in August. This was due to international collaborative efforts. 

Prior to the disruption of Qakbot, an individual claiming to be the developer of DarkGate sought to sell subscriptions on a hacking forum, pricing them at up to $100,000 annually. The malware was marketed with an array of features, including a concealed VNC, capabilities to evade Windows Defender, a tool for pilfering browser history, an integrated reverse proxy, a file manager, and a Discord token snatcher.

Subsequent to this announcement, there has been a noticeable surge in reported DarkGate infections via various delivery methods like phishing and malvertising.

This recent upswing in DarkGate activity highlights the escalating influence of this malware-as-a-service (MaaS) operation within the realm of cybercrime. It underscores the unwavering determination of threat actors to persist in their attacks, demonstrating adaptability in tactics and methods despite disruptions and obstacles.

Ransomware Access Broker Leverages Microsoft Teams Titles for Account Theft

 


A Microsoft warning has been issued about a new phishing campaign which is being undertaken by one of its first-level access brokers. This campaign uses Teams messages as lures to sneak into corporate networks to collect sensitive data. 

Under the control of Google's Threat Intelligence team, the cluster has been named Storm-0324, and it is closely monitored either under the name TA543 or Sigrid, as well as under the alias Storm-0324. Security researchers at Microsoft have noticed that the financially motivated group Storm-0324 has started using Teams to target potential victims, which they believe is a means of gaining easy access to their computer systems. 

As a payload distributor within the cybercriminal economy, Storm-0324 offers a service that is aimed at providing evasive infection chains as a means of propagating various payloads that are used in the manifestation of systems. There are a variety of types of malware that have been identified in this study, including downloaders, banking trojans, ransomware, as well as modular toolkits such as Nymaim, Gozi, TrickBot, IcedID, Gootkit, Dridex, Sage, GandCrab, and JSSLoader. 

This actor has used decoy emails referencing invoices and payments in the past to trick users into downloading SharePoint-hosted ZIP archive files with JSSLoader, a malware loader able to profile and load additional payloads on infected machines.

In the past, he has used similar decoy email messages to trick users into downloading these files. It seems that Microsoft has assigned a temporary name, Storm-0324, to this particular threat actor before gaining clarity about the origin or identity of the individual behind the operation, and this suggests that Microsoft is not fully confident about the origin or identity of this particular threat actor. 

After Storm-0324 successfully compromised corporate networks with the use of JSSLoader, Gozi and Nymaim, the notorious cybercrime gang FIN7 was able to gain access to their systems. FIN7 has been observed deploying the Clop ransomware on the networks of its victims. 

It is also known as Sangria Tempest and ELBRUS. Before the now-defunct BlackMatter and DarkSide ransomware-as-a-service (Raas) operations took place, the ransomware was also known to be linked to Maze and REvil ransomware. 

Storm-0324 is also a malware distributor that distributes payloads for other malware authors, according to Microsoft. This group employs evasive tactics and uses payment and invoice lures to lure victims into their traps. It has been proven that the gang has distributed malware for FIN7 and Cl0p, both well-known Russian cybercrime gangs. 

It has been discovered that Storm-0324 is responsible for spreading phishing scams over Teams. Cybercriminals employ TeamsPhisher to scale up the mission of phishing, which allows tenants of Teams to attach files to messages that are sent to external tenants. 

Attackers send victims links that lead them to malicious SharePoint-hosted files. The Microsoft Teams vulnerability causing these attacks was previously said by Microsoft to have not met the requirements for immediate remediation. 

Enterprise administrators can minimize this risk by modifying security settings so that only certain domains are allowed to communicate with their employees, or by making it impossible for tenants to contact their employees outside their premises.

Furthermore, Microsoft explains that it has made several improvements to protect itself from such threats and to improve its defences against them. They have also enhanced the Accept/Block experience within Teams' one-to-one chats, in addition to suspending accounts and tenants whose behaviour is deemed inauthentic or fraudulent. 

In this manner, Teams users are reminded that the externality of a user and their email address is important so that they are more careful in interacting with unknown or malicious senders and do not interact with those users. In addition, there has been an enhancement to the notification feature for tenant admins when new domains are created in their tenants, which allows them to monitor if any new domains are created on their tenant's premises. 

It is believed that the group is leveraging previously compromised Microsoft 365 instances, most of which belong to small businesses, in their phishing attacks to create new domains that look as if they are technical support accounts for small businesses. 

These individuals are then persuaded by the group to approve the multi-factor authentication prompts initiated by the attacker through Teams messages. A new onmicrosoft.com subdomain is established using compromised instances that have been renamed and used to set up the new instance. 

Microsoft 365 uses the onmicrosoft.com domain name as a fallback if there is no custom domain created by the user. To provide credibility to the technical support-themed messages that are sent out as a lure by attackers, they often use security terms or product-specific names in these subdomain names. 

Specifically, the goal is to target users who have been set up to utilize passwordless authentication on their accounts or have obtained credentials for accounts that they have previously acquired credentials for. During the authentication process, the user is required to enter a code displayed on the screen of their mobile device into the prompt in Microsoft Authenticator, which is displayed during the authentication process.