Date: 12/25/2024
Severity: Medium
Summary
In a recent incident, an attacker used social engineering through a Microsoft Teams call to impersonate a client and gain remote access to a victim's system. The attacker successfully tricked the victim into downloading AnyDesk, a remote access tool, and dropped suspicious files, including Trojan.AutoIt.DARKGATE.D. This malware used Autoit3.exe to connect to a command-and-control server and download a malicious payload. Although persistent files and a registry entry were created, the attack was stopped before exfiltration occurred.
Indicators of Compromise (IOC) List
URL/Domain | http://179.60.149.194:8080/fdgjsdmt |
IP Address | 179.60.149.194 |
Hash |
1cbda9a3f202e7aacc57bcf3d43ec7b1ca42564a947d6b5a778df90cddef079a
4e291266399bd8db27da0f0913c041134657f3b1cf45f340263444c050ed3ee1
faa54f7152775fa6ccaecc2fe4a6696e5b984dfa41db9a622e4d3e0f59c82d8b
bb56354cdb241de0051b7bcc7e68099e19cc2f26256af66fad69e3d2bc8a8922
e4d13af4bfc3effe4f515c2530b1b182e18ad0c0a3dacac4dd80d6edcf0b007a |
Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection
Detection Query 1 | userdomainname like "http://179.60.149.194:8080/fdgjsdmt" or url like "http://179.60.149.194:8080/fdgjsdmt" |
Detection Query 2 | dstipaddress IN ("179.60.149.194") or ipaddress IN ("179.60.149.194") or publicipaddress IN ("179.60.149.194") or srcipaddress IN ("179.60.149.194") |
Detection Query 3 |
sha256hash IN ("bb56354cdb241de0051b7bcc7e68099e19cc2f26256af66fad69e3d2bc8a8922","1cbda9a3f202e7aacc57bcf3d43ec7b1ca42564a947d6b5a778df90cddef079a","4e291266399bd8db27da0f0913c041134657f3b1cf45f340263444c050ed3ee1","faa54f7152775fa6ccaecc2fe4a6696e5b984dfa41db9a622e4d3e0f59c82d8b","e4d13af4bfc3effe4f515c2530b1b182e18ad0c0a3dacac4dd80d6edcf0b007a") |
Reference:
https://www.trendmicro.com/en_us/research/24/l/darkgate-malware.html