DarkGate Malware Attack Detection: Voice Phishing via Microsoft Teams Leads to Malware Distribution

Researchers have uncovered a new malicious campaign using voice phishing (vishing) to spread the DarkGate malware. In this attack, adversaries masqueraded themselves as the known client on a Microsoft Teams call, tricking the victims into downloading AnyDesk for remote access and further deploying malware. 

Detect DarkGate Malware Attacks 

In the early summer of 2024, the vishing technique was used in cyber attacks followed by the distribution of offensive tools, including remote utilities. In December, threat actors once again take advantage of impersonation via vishing aimed at DarkGate malware infection. SOC Prime Platform for collective cyber defense equips security teams with cutting-edge technologies and solutions to outscale cyber threats, no matter their scale and sophistication. 

Press Explore Detections to drill down to the full collection of Sigma rules for DarkGate malware detection. Gain from actionable CTI, MITRE ATT&CK alignment, and automated capabilities to covert detection code into the required query language format matching 30+ security analytics platforms. 

Explore Detections

DarkGate Malware Analysis: Vishing Attacks 

The Trend Micro researchers investigated a cybersecurity incident in which adversaries applied vishing through a Microsoft Teams call to disguise themselves as the users’ client and gain remote access to the targeted system. Attackers also lured the potential victims into downloading the AnyDesk remote desktop software, which was further exploited to deploy DarkGate malware. Delivered via an AutoIt script, DarkGate facilitated gaining remote control of the system, running offensive commands, collecting system data, and connecting to a C2 server. 

At the initial attack stage, hackers leveraged social engineering to gain system access. The victim first received thousands of emails, followed by a Microsoft Teams call from someone disguised as an external supplier. Adversaries failed to trick the targeted users into installing a Microsoft Remote Support app but successfully instructed them to download AnyDesk via a browser and enter their credentials. 

After installing AnyDesk, attackers were able to operate with elevated privileges within the compromised system and dropped several suspicious files, including the Trojan.AutoIt.DARKGATE.D payload. The encrypted AutoIt payload script.a3x decrypted itself in memory as a shellcode and injected itself into legitimate processes, like MicrosoftEdgeUpdateCore.exe. This process served as a proxy to load and run the DarkGate A3x script, which then facilitated the loading of additional malicious samples for the next stages of the attack.

Adversaries also created stealthy files and a registry entry on the victim’s machine to establish persistence and bypass detection. They also employed DLL side-loading to remain under the radar. Despite offensive efforts, the attack was terminated before adversaries could reach their goals, with no evidence of data exfiltration. 

As recommended DarkGate malware mitigation measures, teams are encouraged to carefully vet third-party technical support providers and verify any vendor affiliations before granting remote access to systems, establish cloud vetting processes to assess the security and reputation of remote access tools, whitelist approved tools, block suspicious ones, and implement MFA for added layers of security protection. 

The multiple-stage DarkGate malware attack flow highlights the significance of strong security measures and increased cyber vigilance against social engineering attacks. To addres the growing frequency and variety of malicious campaigns using vishing and other adversary techniques, enterprises can rely on SOC Prime’s complete product suite for AI-powered detection engineering, automated threat hunting, and advanced threat detection while ensuring best-in-class cyber defense.