A new social engineering campaign has leveraged Microsoft Teams to distribute DarkGate, a sophisticated malware known for its remote access and data theft capabilities. According to Trend Micro researchers, attackers posed as clients during a Microsoft Teams call, convincing victims to download AnyDesk, a legitimate remote access tool, which was then abused to deploy the malware.
The campaign involved a multi-pronged attack strategy. Threat actors initially flooded victims’ email inboxes with thousands of emails before approaching them on Microsoft Teams, impersonating external suppliers. Once trust was established, victims were tricked into installing AnyDesk, which was exploited to deliver payloads such as credential stealers and the DarkGate malware itself.
DarkGate, active since 2018, has evolved into a Malware-as-a-Service (MaaS) platform with limited but carefully controlled distribution. Its capabilities include credential theft, keylogging, screen and audio recording, and remote desktop control. Recent analyses reveal that DarkGate often uses AutoIt and AutoHotKey scripts to initiate attacks, with one incident involving an AutoIt script to deploy the malware.
To combat such threats, organizations are urged to adopt robust security measures. Recommended practices include enabling multi-factor authentication (MFA), allowing only approved remote access tools, blocking unverified applications, and thoroughly vetting third-party technical support providers. These measures can help mitigate the risks posed by vishing and other social engineering techniques.
The rise of phishing campaigns exploiting global events and trusted platforms like YouTube, Cloudflare, and Microsoft 365 further underscores the importance of vigilance. Attackers exploit urgency, trust, and emotional manipulation to deceive victims into sharing sensitive data or executing malicious actions. Proactive monitoring of domain registrations, textual patterns, and DNS anomalies can help security teams identify and neutralize these threats early.