Subject: Engage Report: Vishing via Microsoft Teams – DarkGate Malware
Tactics: TA0001 Initial Access
Technique: T1566.002 Phishing: Spearphishing Link, T1566.004 Phishing: Spearphishing Voice
Procedure:
Attacker impersonates a client employee via Microsoft Teams call, manipulates the victim into downloading AnyDesk for remote access after a failed attempt to install Microsoft Remote Support application.
Vulnerability: EAV0001 When adversaries interact with the environment or personas, they are vulnerable when they collect, observe, or manipulate system artifacts or information. Manipulated data may cause them to reveal behaviors, use additional or more advanced capabilities against the target, and/or impact their dwell time., EAV0002 When adversaries interact with the environment or personas, they are vulnerable to collecting, or in some way interacting with, manipulated or decoy data. In those cases the data may increase their tolerance for imperfections in the environment and improve the overall believability of the ruse., EAV0004 When adversaries use phishing emails to gain access to victim systems, they have no control over where a malicious attachment is detonated from, or where a link is clicked.
Engagement Opportunity:
Implement a training program with simulated vishing attacks to educate employees about social engineering tactics and the risks of unsolicited calls. Monitor for suspicious logins or downloads following Teams calls.
Threat Actor: Unknown, potentially associated with DarkGate malware distributors
Threat Objective:
Deploy DarkGate malware for remote control, command execution, system information gathering, and potential data exfiltration.
Deception Opportunity:
Deploy a decoy system with a user account configured to mimic typical employee behavior on Microsoft Teams. Seed the system with fabricated sensitive documents. Monitor for any attempts to initiate a vishing attack or deploy DarkGate malware.
Sensor Data Placement: Application
Observable Level: Core to Adversary-Brought Tool
Scoring Rationale:
Scoring reflects the attacker’s reliance on legitimate tools and services alongside custom malware and scripts. The attack chain involves a combination of common and less common techniques.
- Sensor Data Placement:
- Application: Microsoft Teams, AnyDesk
- User-Mode: Process execution (cmd.exe, rundll32.exe, Autolt3.exe), file creation, registry modifications
- Kernel-Mode: Not applicable
- Observable Level:
- Ephemeral Values: Not applicable
- Core to Adversary-Brought Tool:
- AnyDesk remote access software
- SafeStore.dll and associated functions
- SystemCert.exe and script.a3x
- spamfilter_v1.4331.vbs
- DarkGate payload and C2 server
- Core to Pre-Existing Tool: cmd.exe, rundll32.exe, PowerShell, Microsoft EdgeUpdateCore.exe
- Core to Some Implementations of (Sub-)Technique: DLL side-loading, process injection
- Core to Sub-Technique or Technique: Not applicable
Link to Report:
Link to Report II.:
Additional Comments:
This attack highlights the increasing use of vishing as an initial access technique and the importance of user awareness and training. The attacker’s ability to pivot to AnyDesk after the failed Microsoft Remote Support installation demonstrates adaptability and persistence.
Possible elements:
MSG (Pseudocode):
# Malicious Sub-Graph Standard
# Node Format:
# [Node ID]: [Tactic] - [Technique] - [Procedure] ([Observable Level])
# Edge Format:
# [Source Node ID] --> [Destination Node ID] ([Exploited Vulnerability])
# DarkGate via Vishing Attack Graph
[1]: Initial Access (TA0001) - Spearphishing via Service (T1596.002) - Vishing (T1596.004) - Microsoft Teams call impersonating a client to convince victim to download AnyDesk (Core to Adversary-Brought Tool)
[2]: Execution (TA0002) - Command and Scripting Interpreter: PowerShell (T1086) - Execute PowerShell commands to download and run next stage (Core to Pre-Existing Tool)
[3]: Persistence (TA0003) - Scheduled Task/Job: Scheduled Task (T1053.005) - Create scheduled task to maintain persistence (Core to Some Implementations of (Sub-)Technique)
[4]: Command and Control (TA0011) - Application Layer Protocol: Web Protocols (T1071.001): HTTP - Communicate with C2 server using HTTP (Core to Adversary-Brought Tool)
[5]: Exfiltration (TA0010) - Exfiltration Over C2 Channel (T1041) - Exfiltrate data over HTTP C2 channel (Core to Sub-Technique or Technique)
1 --> 2 (Lack of User Awareness (EAV0004))
2 --> 3 (Lack of System Monitoring (EAV0001))
3 --> 4 (Lack of Network Monitoring (EAV0002))
4 --> 5 (Lack of Network Monitoring (EAV0002))
# Pseudocode Standard
# Function Format:
# function [Tactic]_[Technique]([Input]):
# [Procedure]
# return [Output]
# DarkGate via Vishing Pseudocode
function Initial_Access_Spearphishing_Attachment(target_user):
# Initiate Microsoft Teams call with target_user
# Impersonate client employee
# Convince target_user to download and install AnyDesk
return execution_payload
function Execution_Command_and_Scripting_Interpreter(execution_payload):
# Execute PowerShell commands to download and run next stage
return persistence_payload
function Persistence_Scheduled_Task(persistence_payload):
# Create scheduled task to execute downloaded malware
return C2_communication_module
function Command_and_Control_Application_Layer_Protocol(C2_communication_module):
# Establish HTTP connection with C2 server
# Receive commands and exfiltrate data
return exfiltrated_data
function Exfiltration_Exfiltration_Over_C2_Channel(exfiltrated_data):
# Send exfiltrated_data to C2 server over HTTP
return success