An active social engineering campaigns uses Microsoft Teams and AnyDesk to deploy DarkGate malware. Attackers are impersonating trusted contacts during Teams calls to deceive victims into installing remote access tools, facilitating unauthorized system access, and deploying the malware. Review the details in this Cybersecurity Threat Advisory to learn the full details of the campaigns.
What is the threat?
The threat involves attackers initiating a Microsoft Teams call and impersonating a known client to gain the victim’s trust. They instruct the victim to install AnyDesk, a legitimate remote access tool, under the disguise of providing support. Once installed, the attacker use AnyDesk to access the victim’s system remotely, deploying the DarkGate malware. DarkGate is a sophisticated remote access trojan (RAT) capable of credential theft, keylogging, screen capturing, audio recording, and establishing persistent remote desktop access. In this campaign, it is delivered via an AutoIt script, enabling attackers to execute malicious commands and exfiltrate sensitive data.
Why is it noteworthy?
This attack exploits the inherent trust in platforms like Microsoft Teams and the legitimate use of remote access tools like AnyDesk. The social engineering approach, combined with the advanced capabilities of the DarkGate malware, poses a serious challenge to traditional cybersecurity defenses. Organizations are especially vulnerable as this method bypasses email-based phishing protections and capitalizes on human error, increasing the likelihood of a successful compromise.
What is the exposure or risk?
This campaign targets individual users with social engineering tactics that grant unauthorized remote access to deploy malware such as DarkGate, allowing attackers to bypass both traditional and advanced security measures. The consequences include data breaches, financial loss, and operational disruptions. The use of internal communication platforms lowers users’ guard, making these attacks particularly effective. Furthermore, using legitimate remote access tools like AnyDesk complicates detection, as users are not trained to suspect foul play. This attack tactic also bypasses traditional email phishing defenses, as the initial contact occurs through a trusted platform. The deployment of advanced malware such as DarkGate can lead to prolonged undetected access, data exfiltration, and potential compromise of additional systems within the network.
What are the recommendations?
Barracuda recommends the following action to mitigate this threat:
- Enable MFA requirement for all remote access tools and communication platforms as an extra layer of security.
- Restrict the installation and use of remote access software to those vetted and approved by the organization.
- Prevent the download and installation of unapproved applications to reduce the risk of unauthorized access.
- Educate employees about the risks of social engineering attacks and establish protocols for verifying the identity of individuals requesting the installation of software or access to systems.
- Implement monitoring solutions to detect unusual activities on communication platforms like Microsoft Teams, such as unexpected calls from external contacts.
By adopting these measures, organizations can enhance their defenses against sophisticated social engineering attacks and the deployment of malware like DarkGate.
Reference:
For more in-depth information, please visit the following links:
If you have any questions about this Cybersecurity Threat Advisory, please contact Barracuda XDR’s Security Operations Center.
