The Threat Emerges
The DarkGate remote access Trojan (RAT), a powerful malware active since 2017, has adopted a new attack vector: Microsoft Teams. Cybercriminals combined phishing and vishing (voice phishing) techniques to gain control over a victim’s device, highlighting the continued evolution of this threat.
With organizations increasingly relying on collaboration tools, the attack demonstrates the growing risks tied to social engineering and remote access.
Phone Phishing: Watch out for support claims
The attack began with a flood of phishing emails. Shortly after, the perpetrators followed up with a Microsoft Teams call, posing as technical support from an external provider. When an initial attempt to install Microsoft Remote Support failed, the attackers manipulated the victim into downloading AnyDesk, a legitimate remote access tool. This opened the door for DarkGate, which was delivered via a PowerShell command.
Once installed, the RAT enabled remote control over the device. It executed malicious scripts, gathered sensitive data, and established persistent access through a connection with its command-and-control server. The attacker’s sophisticated approach combined multiple entry points, making detection more difficult.
The Impact
While this particular attack was thwarted, DarkGate remains a global menace. The malware’s versatility allows attackers to target any organization, exploiting human vulnerabilities through increasingly sophisticated methods. With its multi-functional capabilities and evolving delivery mechanisms, DarkGate represents a significant risk to businesses worldwide.
How it became a part of the team
DarkGate’s functionality is extensive, making it an all-in-one tool for cybercriminals. It supports keylogging and credential theft, enabling attackers to monitor and capture user inputs such as passwords and sensitive data. The malware can establish RDP sessions and hidden remote access channels, allowing cybercriminals to control compromised systems covertly.
Additionally, DarkGate maps systems and networks, facilitating further attacks like directory traversal and privilege escalation. It can also extract browser data and exfiltrate sensitive files, compromising entire networks. Beyond this, the RAT is capable of delivering additional payloads, including other remote access tools like Remcos, extending the scope and severity of its attacks.
By combining phishing, vishing, and trusted tools like AnyDesk, cybercriminals bypass traditional security measures to escalate privileges and maintain control.
What You Can Do
As vishing attacks become more common and deceptive, organizations must implement layered defenses. Here’s how to protect against evolving threats like DarkGate:
Employee Training: Educate teams to recognize phishing emails and voice phishing scams.
Verification Protocols: Always verify external technical support claims before granting access.
Tool Vetting: Vet and approve remote access tools like AnyDesk for security compliance.
Application Whitelisting: Allow only pre-approved tools; block unauthorized software.
Multifactor Authentication (MFA): Enforce MFA for remote access tools to prevent unauthorized entry.
Combining awareness, strict verification processes, and security controls will help organizations stay resilient against advanced social engineering tactics.
Comments