In the last week of August, Truesec Cybersecurity Incident Response Team (CSIRT) investigated a Microsoft Teams malware campaign delivering malware identified as DarkGate Loader.
On August 29, in the timespan from 11:25 to 12:25 UTC, Microsoft Teams chat messages were sent from two external Office 365 accounts compromised prior to the campaign. The message content aimed to social engineer the recipients into downloading and opening a malicious file hosted remotely.
Investigating the Senders
Using Microsoft Purview's eDiscovery tool we searched for the senders (participants) in Microsoft Teams.
The senders of the external Microsoft Teams chat messages were identified as “Akkaravit Tattamanas” (firstname.lastname@example.org) and “ABNER DAVID RIVERA ROJAS” (email@example.com). Truesec Threat Intelligence confirmed the accounts were compromised via an unknown malware and put up for sale on the Dark Web in August 2023.
Using AADInternal's OSINT tool, we could gather more information on the O365 tenant to which the accounts belong and use the listed domains to search for additional messages.
HR-Themed Social Engineering Lure
Both senders had an identical-sounding message with a link to an externally hosted file, "Changes to the vacation schedule.zip" (hosted on the senders SharePoint sites).
The SharePoint URLs hosting the remote attachment can be seen in the figure below.
Downloading the Malware
Clicking the URL would take the victim to the SharePoint sites where the file “Changes to the vacation schedule.zip” could be downloaded.
The file was later identified by Microsoft Defender as malware “BAT/Tisifi.A#”.
Analyzing the Malicious Files
Using a combination of static and dynamic malware analysis our goal was to identify the final payload delivered in the campaign.
The ZIP file contains a malicious LNK file (shortcut) posing as a PDF document: "Changes to the vacation schedule.pdf.lnk."
Using Eric Zimmerman’s “LECmd.exe” to analyze the malicious LNK file, we can extract the command line it would execute upon opening.
The execution of the VBScript file in C:\tgph\asrxmp.vbs triggers the download and execution of the file hXXp:// 5[.]188[.]87[.]58:2351/wbzadczl
The commands make use of a Windows version of cURL (renamed to wbza) to download and execute Autoit3.exe and the bundled script eszexz.au3. The pre-compiled AutoIT script hides the code in the middle of the file by looking for the magic bytes 0x4155332145413036 (AU3!EA06).
Upon executing the script, AutoIT drops a new file that contains shellcode, and before execution, it makes a check to see if Sophos antivirus is installed.
If Sophos is not installed, additional code in the AutoIT script is deobfuscated to launch the shellcode.
When the shellcode is run, the first thing it does is load “byte by byte.” This technique is called stacked strings, to create a new file. It can be seen in the figure below that the first bytes of the created file are 0x4d and 0x5a, which indicates a Windows executable.
The payload could then be extracted from memory and analyzed with PE Studio from www.winitor.com:
The payload was identified as “DarkGateLoader” on VirusTotal. After the identification of the malware, we found an excellent writeup from Deutsche Telekom CERT and used their config extractor on the AutoIT script file “eszexz.au3” to extract the DarkGate malware’s configuration:
Further reading on the DarkGate Loader and DarkGate malware capabilities:
This attack was detected due to the security awareness training of the recipients. Unfortunately, current Microsoft Teams security features such as Safe Attachments or Safe Links was not able to detect or block this attack. Right now, the only way to prevent this attack vector within Microsoft Teams is to only allow Microsoft Teams chat requests from specific external domains, albeit it might have business implications since all trusted external domains need to be whitelisted by an IT administrator. More on how these settings can be activated and used can be found here: https://learn.microsoft.com/en-us/microsoftteams/trusted-organizations-external-meetings-chat?tabs=organization-settings
Indicators of Compromise
Changes to the vacation schedule.zip
Changes to the vacation schedule.pdf.lnk
A similar file with the same filename, “Changes to the vacation schedule.zip,” and behavior (but with a different hash) is available on VirusTotal: https://www.virustotal.com/gui/file/09904d65e59f3fbbbf38932ae7bff9681ac73b0e30b8651ec567f7032a94234f.
Command & Control Server
Compromised Email Addresses