Vishing via Microsoft Teams Facilitates DarkGate Malware Intrusion

    Date: 12/25/2024

    Severity: Medium

    Summary

    In a recent incident, an attacker used social engineering through a Microsoft Teams call to impersonate a client and gain remote access to a victim's system. The attacker successfully tricked the victim into downloading AnyDesk, a remote access tool, and dropped suspicious files, including Trojan.AutoIt.DARKGATE.D. This malware used Autoit3.exe to connect to a command-and-control server and download a malicious payload. Although persistent files and a registry entry were created, the attack was stopped before exfiltration occurred.

    Indicators of Compromise (IOC) List

    URL/Domain

    http://179.60.149.194:8080/fdgjsdmt

    IP Address

    179.60.149.194

    Hash

    1cbda9a3f202e7aacc57bcf3d43ec7b1ca42564a947d6b5a778df90cddef079a
    
    4e291266399bd8db27da0f0913c041134657f3b1cf45f340263444c050ed3ee1
    
    faa54f7152775fa6ccaecc2fe4a6696e5b984dfa41db9a622e4d3e0f59c82d8b
    
    bb56354cdb241de0051b7bcc7e68099e19cc2f26256af66fad69e3d2bc8a8922
    
    e4d13af4bfc3effe4f515c2530b1b182e18ad0c0a3dacac4dd80d6edcf0b007a

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Detection Query 1

    userdomainname like "http://179.60.149.194:8080/fdgjsdmt" or url like "http://179.60.149.194:8080/fdgjsdmt"

    Detection Query 2

    dstipaddress IN ("179.60.149.194") or ipaddress IN ("179.60.149.194") or publicipaddress IN ("179.60.149.194") or srcipaddress IN ("179.60.149.194")

    Detection Query 3

    sha256hash IN ("bb56354cdb241de0051b7bcc7e68099e19cc2f26256af66fad69e3d2bc8a8922","1cbda9a3f202e7aacc57bcf3d43ec7b1ca42564a947d6b5a778df90cddef079a","4e291266399bd8db27da0f0913c041134657f3b1cf45f340263444c050ed3ee1","faa54f7152775fa6ccaecc2fe4a6696e5b984dfa41db9a622e4d3e0f59c82d8b","e4d13af4bfc3effe4f515c2530b1b182e18ad0c0a3dacac4dd80d6edcf0b007a")

    Reference: 

    https://www.trendmicro.com/en_us/research/24/l/darkgate-malware.html       


    Tags

    MalwareSocial EngineeringTrojanRemoteAccessTool

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags