cybersecurity.att.com
Open in
urlscan Pro
72.246.169.113
Public Scan
URL:
https://cybersecurity.att.com/blogs/security-essentials/darkgate-malware-delivered-via-microsoft-teams-detection-and-response
Submission: On January 31 via api from IT — Scanned from IT
Submission: On January 31 via api from IT — Scanned from IT
Form analysis
6 forms found in the DOMGET /search-results
<form action="/search-results" method="get" id="top-search-form" __bizdiag="113" __biza="WJ__"><input name="q" id="top-search-form-text" type="text" placeholder="Search" aria-label="Search"><button type="submit" aria-label="Search"><svg
xmlns="http://www.w3.org/2000/svg" viewBox="0 0 20 20" fill="#ffffff" class="w-5 h-5">
<path fill-rule="evenodd" d="M9 3.5a5.5 5.5 0 100 11 5.5 5.5 0 000-11zM2 9a7 7 0 1112.452 4.391l3.328 3.329a.75.75 0 11-1.06 1.06l-3.329-3.328A7 7 0 012 9z" clip-rule="evenodd"></path>
</svg>
</button></form>
GET /search-results
<form action="/search-results" method="get" id="mobile-search-form" __bizdiag="113" __biza="WJ__">
<input name="q" id="mobile-search-form-text" type="text" placeholder="Search" aria-label="Search" class="d-block w-100">
<button type="submit"><span class="ac ac-search" aria-hidden="true"><svg xmlns="http://www.w3.org/2000/svg" width="16" height="16" fill="currentColor" viewBox="0 0 16 16">
<path d="M11.742 10.344a6.5 6.5 0 1 0-1.397 1.398h-.001c.03.04.062.078.098.115l3.85 3.85a1 1 0 0 0 1.415-1.414l-3.85-3.85a1.007 1.007 0 0 0-.115-.1zM12 6.5a5.5 5.5 0 1 1-11 0 5.5 5.5 0 0 1 11 0z"></path>
</svg></span></button>
</form>
GET /search-results
<form action="/search-results" method="get" id="mobile-search-form" __bizdiag="113" __biza="WJ__">
<input name="q" id="mobile-search-form-text" type="text" placeholder="Search" aria-label="Search" class="d-block w-100">
<button type="submit"><span class="ac ac-search" aria-hidden="true"><svg xmlns="http://www.w3.org/2000/svg" width="16" height="16" fill="currentColor" viewBox="0 0 16 16">
<path d="M11.742 10.344a6.5 6.5 0 1 0-1.397 1.398h-.001c.03.04.062.078.098.115l3.85 3.85a1 1 0 0 0 1.415-1.414l-3.85-3.85a1.007 1.007 0 0 0-.115-.1zM12 6.5a5.5 5.5 0 1 1-11 0 5.5 5.5 0 0 1 11 0z"></path>
</svg></span></button>
</form>
GET /search-results
<form action="/search-results" method="get" id="blog-search-form" __bizdiag="113" __biza="WJ__">
<input name="q" id="blog-search-form-text" type="text" placeholder="Search" aria-label="Search"><button type="submit"><span class="ac ac-search" aria-hidden="true"><svg xmlns="http://www.w3.org/2000/svg" width="16" height="16" fill="currentColor"
viewBox="0 0 16 16">
<path d="M11.742 10.344a6.5 6.5 0 1 0-1.397 1.398h-.001c.03.04.062.078.098.115l3.85 3.85a1 1 0 0 0 1.415-1.414l-3.85-3.85a1.007 1.007 0 0 0-.115-.1zM12 6.5a5.5 5.5 0 1 1-11 0 5.5 5.5 0 0 1 11 0z"></path>
</svg></span></button>
</form>
GET /search-results
<form action="/search-results" method="get" id="blog-search-form" __bizdiag="113" __biza="WJ__"><input name="q" id="blog-search-form-text" type="text" placeholder="Search" aria-label="Search"><button type="submit"><span class="ac ac-search"
aria-hidden="true"><svg xmlns="http://www.w3.org/2000/svg" width="16" height="16" fill="currentColor" viewBox="0 0 16 16">
<path d="M11.742 10.344a6.5 6.5 0 1 0-1.397 1.398h-.001c.03.04.062.078.098.115l3.85 3.85a1 1 0 0 0 1.415-1.414l-3.85-3.85a1.007 1.007 0 0 0-.115-.1zM12 6.5a5.5 5.5 0 1 1-11 0 5.5 5.5 0 0 1 11 0z"></path>
</svg></span></button></form>
/search-results/blog
<form id="searchbox_002748587151982842036:gharkgtx6cu" action="/search-results/blog" class="sidebar-search">
<input value="002748587151982842036:gharkgtx6cu" name="cx" type="hidden">
<input value="FORID:11" name="cof" type="hidden">
<div class="search-button">
<input value="Search" name="sa" type="submit">
</div>
<div class="search-field">
<input id="q" name="q" type="text" aria-label="Search our blogs" placeholder="Search our blogs">
</div>
</form>
Text Content
View all AT&T Business Products ⟶ * * Blog * Contact * Support Contact us * * Products & Services * Secure your Business Our managed security services team detects cyber threats early and provide coordinated defences for fast and effective responses * Modernize Network Security The next generation of security is here * Distributed Denial of Service * Domain Name System * Firewall * Cloud Access Security Broker * Zero-Trust Network Access * Secure Access Service Edge * Secure Remote Access * Secure Remote Gateway * Enterprise Traffic Protector * Software-Defined Wide Area Networking * Web Application and API Protection * Managed Detection and Response Make security operations more efficient * Managed Endpoint Security with Sentinel One * Managed Threat Detection and Response * Managed Vulnerability Program * Incident Readiness * Incident Response * Extended Detection and Response With the USM Anywhere open XDR platform * USM Anywhere * Cybersecurity XDR for MSSPs * TDR for Government * AlienApps/Integrations * Endpoint Management Manage and secure your endpoint devices * SentinelOne * Ivanti (MobileIron) * VMware Workspace ONE® * IBM MaaS360 * Lookout Mobile Endpoint Security * McAfee Endpoint Protection * Samsung Knox * Mitigate Risk & InnovateOur experienced advisors help you to manage your environment, identify areas of cyber risk, and protect your critical assets * Consulting Services Reduce risk and improve security posture * Cyber as a Service * Risk Advisory * Cyber Operations * Research Learn critical cybersecurity trends * Insights Report Hub * Insights Report Media Coverage * Insights Report Resources * Get the latest Insights Report * Threat Intelligence Unlock timely, tactical threat intelligence * AT&T Alien Labs * AT&T Alien Labs Open Threat Exchange * Solutions * EnvironmentProtect your environment, address your cyber risks head on * 5G Advance 5G security solutions for robust defense 5G Learn more * Cloud Security Adopt public cloud services safely CLOUD SECURITY Learn more * Mobility and IoT Prepare for security requirements for new technologies MOBILITY AND IOT Learn more * Network Security Manage multiple network access points NETWORK SECURITY Learn more * Remote Workforce Provide highly secure access from any device REMOTE WORKFORCE Learn more * IndustrySecure digital and business transformation * Financial Services Secure digital transformation in finance FINANCIAL Learn more * Healthcare Protect patient data and reduce threats HEALTHCARE Learn more * Manufacturing Design secure IoT solution for a smarter supply chain MANFACTURING Learn more * Retail Create modern customer experiences without the risk RETAIL Learn more * Security Use CasesLearn how to do better security * Secure Access Service Edge Improve network performance, lower cost and complexity SECURE ACCESS SERVICE EDGE Learn more * Secure Web Gateway Filter and inspect outbound user traffic SECURE WEB GATEWAY Learn more * SIEM Platform Solutions Take advantage of an all-in-one solution SIEM PLATFORM SOLUTIONS Learn more * XDR Protect, detect, and respond at scale to threats XDR Learn more * Zero Trust Embed a Zero Trust model to your network architecture ZERO TRUST Learn more * ComplianceAchieve compliance goals faster * HIPPA Safeguard electronic protected health information THE PERFECT RX FOR HIPAA COMPLIANCE Learn more * PCI DSS Simplify PCI DSS compliance PCI DSS COMPLIANCE SOLUTIONS Learn more * ISO 27001 Secure the global standard for information security ISO 27001 COMPLIANCE Learn more * SOC 2 Streamline your audit process SOC 2 COMPLIANCE Learn more * Partners * Channel PartnersPowered by our award-winning USM Anywhere platform, our partner programs help you deliver essential security for customers * All Partner Programs Why become a channel partner * MSSP Program Become an AT&T Cybersecurity MSSP * Reseller Program Become an AT&T Cybersecurity solution provider * Professional Services Get expert help with your implementation and optimization * Partner Portal Login Get access to our private members area * Technology PartnersWorking with the World's leading security providers, we provide best-in-class services that ensure better business outcomes for customers. * OTX Partners Discover our Open Threat Exchange partners * Managed Security Partners Learn about our managed security partners * Resources * Product ResourcesLearn about our products & services portfolio and discover how we protect your organization. * Product Briefs Read about our products & services Product Brief NAVIGATING NETWORK SECURITY MODERNIZATION Learn more View all Product Briefs * Solution Briefs Learn about the solutions we offer Solution Brief AT&T CYBERSECURITY CONSULTING: INCIDENT READINESS AND RESPONSE (IRR) SERVICES Learn more View all Solution Briefs * Videos Watch and learn about what we do video AT&T CYBERSECURITY TRAINING PORTAL (ACT) Learn more View all Videos * Customer Stories Find out how we solve customer problems Customer Story ARCADIS NV Learn more View all Customer Stories * Free Trial Test drive USM Anywhere * Security ResourcesBroaden your security knowledge to strenghten your cyber resiliency and mitigate risks. * Analyst Reports Understand today's security landscape Analyst Report FROST & SULLIVAN ANALYST REPORT: SECURE ACCESS SERVICE EDGE GROWTH OPPORTUNITIES Learn more View all Analyst Reports * Blogs Read the latest coverage on security matters Blog: Security Essentials BULLETPROOFING THE RETAIL CLOUD WITH API SECURITY Learn more View all Blogs * eBooks Deep dive into complex security topics ebook ZERO TRUST SECURITY Learn more View all eBooks * Webcasts Listen to our team of security experts webcast 2023 AT&T CYBERSECURITY INSIGHTS REPORT: FOCUS ON TRANSPORTATION Learn more View all Webcasts * White Papers Learn more about cyber solutions White Paper NAVIGATING NETWORK SECURITY MODERNIZATION Learn more View all White Papers * Customer ResourcesDoing business with us? Access critical customer information at the touch of a button. * Support Overview Access area for all support queries * Success Center Find answers to USM questions * Certification Become security certified * Documentation Discover technical support documentation * Training Get expert instruction and hands-on practice PRODUCT RESOURCES * Customer Stories * Product Briefs * Solution Briefs * Use Cases * Free Trial SECURITY RESOURCES * Analyst Reports * Blogs * eBooks * Videos * Webcasts * White Papers CUSTOMER RESOURCES * Success Center * Certification * Customer Success * Documentation * Professional Services * Support Overview * Training BROWSE BY TOPIC * Incident Response * Intrusion Detection * Partner: MSSP & Reseller * Regulatory Compliance * Security Operations Center * SIEM & Log Management * Threat Detection * Threat Intelligence * AT&T Alien Labs * Contact * Support Get price * Products & Services * Solutions * Partners * Resources * Back Secure your Business * Modernize Network Security * Managed Detection and Response * Extended Detection and Response * Endpoint Management Mitigate Risk & Innovate * Consulting Services * Research * Threat Intelligence Back to Products & Services Modernize Network Security * Distributed Denial of Service * Domain Name System * Firewall * Cloud Access Security Broker * Zero-Trust Network Access * Secure Access Service Edge * Secure Remote Access * Secure Remote Gateway * Enterprise Traffic Protector * Software-Defined Wide Area Networking * Web Application and API Protection Back to Products & Services Managed Detection and Response * Managed Endpoint Security with Sentinel One * Managed Threat Detection and Response * Managed Vulnerability Program * Incident Readiness * Incident Response Back to Products & Services Extended Detection and Response * USM Anywhere * Cybersecurity XDR for MSSPs * TDR for Government * AlienApps/Integrations Back to Products & Services Endpoint Management * SentinelOne * Ivanti (MobileIron) * VMware Workspace ONE® * IBM MaaS360 * Lookout Mobile Endpoint Security * McAfee Endpoint Protection * Samsung Knox Back to Products & Services Consulting Services * Cyber as a Service * Risk Advisory * Cyber Operations Back to Products & Services Research * Insights Report Hub * Insights Report Media Coverage * Insights Report Resources * Get the latest Insights Report Back to Products & Services Consulting Services * AT&T Alien Labs * AT&T Alien Labs Open Threat Exchange Back Environment * 5G * Cloud Security * Mobility and IoT * Network Security * Remote Workforce Industry * Financial Services * Healthcare * Manufacturing * Retail Security Use Cases * Secure Access Service Edge * Secure Web Gateway * SIEM Platform Solutions * XDR * Zero Trust Compliance * HIPPA * PCI DSS * ISO 27001 * SOC 2 Back Channel Partners * All Partner Programs * MSSP Program * Reseller Program * Professional Services * Partner Portal Login Technology Partners * OTX Partners * Managed Security Partners Back Product Resources * Product Briefs * Solution Briefs * Videos * Customer Stories * Free Trial Security Resources * Analyst Reports * Blogs * eBooks * Webcasts * White Papers Customer Resources * Support Overview * Success Center * Certification * Documentation * Training * Categories: * All blogs * Security essentials * AT&T Alien Labs research Categories * All blogs * Security essentials * AT&T Alien Labs research * 1. AT&T Cybersecurity 2. Blog DARKGATE MALWARE DELIVERED VIA MICROSOFT TEAMS - DETECTION AND RESPONSE January 30, 2024 | Peter Boyle EXECUTIVE SUMMARY While most end users are well-acquainted with the dangers of traditional phishing attacks, such as those delivered via email or other media, a large proportion are likely unaware that Microsoft Teams chats could be a phishing vector. Most Teams activity is intra-organizational, but Microsoft enables External Access by default, which allows members of one organization to add users outside the organization to their Teams chats. Perhaps predictably, this feature has provided malicious actors a new avenue by which to exploit untrained or unaware users. In a recent example, an AT&T Cybersecurity Managed Detection and Response (MDR) customer proactively reached out with concerns about a user who was external to their domain sending an unsolicited Teams chat to several internal members. The chat was suspected to be a phishing lure. The customer provided the username of the external user as well as the IDs of multiple users who were confirmed to have accepted the message. With this information, the AT&T Cybersecurity MDR SOC team was able to identify the targeted users, as well as suspicious file downloads initiated by some of them. A review of the tactics and indicators of compromise (IOCs) utilized by the attacker showed them to be associated with DarkGate malware, and the MDR SOC team was able to head off the attack before any significant damage was done. INVESTIGATION INITIAL EVENT REVIEW INDICATORS OF COMPROMISE The customer provided the below screenshot (Image 1) of the message that was received by one of their users and which was suspected to be a phishing lure. An important detail to note here is the “.onmicrosoft.com” domain name. This domain, by all appearances, is authentic and most users would probably assume that it is legitimate. OSINT research on the domain also shows no reports for suspicious activity, leading the MDR SOC team to believe the username (and possibly the entire domain) was likely compromised by the attackers prior to being used to launch the phishing attack. Image 1: Screenshot from customer of received message EXPANDED INVESTIGATION EVENTS SEARCH Performing a search of the external username in the customer’s environment led the MDR team to over 1,000 “MessageSent” Teams events that were generated by the user. Although these events did not include the IDs of the recipients, they did include the external user’s tenant ID, as displayed in Image 2 below. Image 2: Event log showing external user tenant ID A Microsoft 365 tenant ID is a globally unique identifier assigned to an organization. It is what allows members of different companies to communicate with one another via Teams. As long as both members of a chat have valid tenant IDs, and External Access is enabled, they can exchange messages. With this in mind, the MDR SOC team was able to query events that contained the external user’s tenant ID and found multiple “MemberAdded” events, which are generated when a user joins a chat in Teams. Image 3: “MemberAdded” event These events include the victim’s user ID, but not the external user ID. In addition to the external tenant ID, the MDR SOC team was able to positively link these “MemberAdded” events back to the attacker via the “ChatThreadId” field, which was also present in the original “MessageSent” events. The customer was provided with a list of users who accepted the external chat and was then able to begin identifying potentially compromised assets and accounts for remediation. EVENT DEEP-DIVE The MDR SOC team continued to drill down on the phished users to determine the precise nature of the attack. They subsequently discovered three users who had downloaded a suspicious double extension file. The file was titled “Navigating Future Changes October 2023.pdf.msi” (Image 4). Image 4: Suspicious double extension file download Double extension files are commonly used by attackers to trick users into downloading malicious executables, as the second extension, .msi in this case, is usually hidden by the filesystem. The user believes they are downloading a PDF for business use, but instead receives a malicious installer. The MDR SOC team was able to provide the filename and associated hashes to the customer who in turn passed that information onto their endpoint detection and response (EDR) provider so the file could be added to the blocklist. The information about the file downloads also enabled the customer to begin identifying affected assets for isolation and remediation. REVIEWING FOR ADDITIONAL INDICATORS The customer later provided the malicious file to the MDR SOC team for further analysis. Upon detonation in a sandbox, the file attempted to beacon out to the domain hgfdytrywq[.]com, which is a confirmed DarkGate command-and-control (C2) domain, according to Palo Alto Networks (https://github.com/PaloAltoNetworks/Unit42-timely-threat-intel/blob/main/2023-10-12-IOCs-for-DarkGate-from-Teams-chat.txt). The filename is also very similar to the files listed by Palo Alto Networks and the double-extension file is a known DarkGate tactic. REMEDIATION The MDR SOC provided the customer with a list of users who had received the message, users who were confirmed to have accepted the message, and users who were identified as having initiated a download of the malicious .msi file. The customer used this information to initiate password resets for the affected users and to determine which assets were infected so that they could be isolated and rolled back to a clean state. The DarkGate file hashes and paths were blocklisted by the customer’s EDR solution and the C2 domain was blocked. The customer was also advised to consider disabling Teams External Access unless it was necessary for business use. RECOMMENDATIONS Email phishing attacks have long been a threat to organizations, and they will continue to be, but phishing via Microsoft Teams is a relatively new phenomenon. This attack vector is a reminder of the need for constant vigilance and user training in the face of evolving threats. Unless absolutely necessary for daily business use, disabling External Access in Microsoft Teams is advisable for most companies, as email is generally a more secure and more closely monitored communication channel. As always, end users should be trained to pay attention to where unsolicited messages are coming from and should be reminded that phishing can take many forms, beyond the typical email. Not everyone is on the same team! SHARE THIS WITH OTHERS Tags: malware research, stories from the soc, microsoft teams, darkgate FEATURED RESOURCES Infographic 2023 AT&T Cybersecurity Insights Report Infographic: Focus on Finance Learn more Infographic 2023 AT&T Cybersecurity Insights Report Infographic: Focus on Manufacturing Learn more Get price Free trial From the Blog DEVIN PARTIDA Jan 31, 2024 BULLETPROOFING THE RETAIL CLOUD WITH API SECURITY Explore All Blog Posts › Twitter LinkedIn Youtube Who We Are * Alien Labs * Careers * Contact Us News * Newsroom * Events * Blogs Partners * Partner Programs * Partner Portal Products * AT&T Managed Threat Detection and Response * USM Anywhere * XDR for MSSPs * Open Threat Exchange (OTX) * OSSIM Solutions * Cloud Security Monitoring * Threat Detection * Intrusion Detection * SIEM platform solutions * Vulnerability Assessment Resources * Resources * Blogs * Customer Reference Guide Customer Success * Support & Services * Success Center * Documentation Center * Training * Certification Contact us © Copyright 2024 * Privacy Policy * Website Terms of Use * GDPR * Cookie Policy * Your Privacy Choices We use cookies to provide you with a great user experience. By using our website, you agree to our Privacy Policy and Website Terms of Use.