cybersecurity.att.com
Open in
urlscan Pro
72.246.169.113
Public Scan
URL:
https://cybersecurity.att.com/blogs/security-essentials/darkgate-malware-delivered-via-microsoft-teams-detection-and-response
Submission: On January 31 via api from IT — Scanned from IT
Submission: On January 31 via api from IT — Scanned from IT
Form analysis 6 forms found in the DOM
GET /search-results
<form action="/search-results" method="get" id="top-search-form" __bizdiag="113" __biza="WJ__"><input name="q" id="top-search-form-text" type="text" placeholder="Search" aria-label="Search"><button type="submit" aria-label="Search"><svg
xmlns="http://www.w3.org/2000/svg" viewBox="0 0 20 20" fill="#ffffff" class="w-5 h-5">
<path fill-rule="evenodd" d="M9 3.5a5.5 5.5 0 100 11 5.5 5.5 0 000-11zM2 9a7 7 0 1112.452 4.391l3.328 3.329a.75.75 0 11-1.06 1.06l-3.329-3.328A7 7 0 012 9z" clip-rule="evenodd"></path>
</svg>
</button></form>GET /search-results
<form action="/search-results" method="get" id="mobile-search-form" __bizdiag="113" __biza="WJ__">
<input name="q" id="mobile-search-form-text" type="text" placeholder="Search" aria-label="Search" class="d-block w-100">
<button type="submit"><span class="ac ac-search" aria-hidden="true"><svg xmlns="http://www.w3.org/2000/svg" width="16" height="16" fill="currentColor" viewBox="0 0 16 16">
<path d="M11.742 10.344a6.5 6.5 0 1 0-1.397 1.398h-.001c.03.04.062.078.098.115l3.85 3.85a1 1 0 0 0 1.415-1.414l-3.85-3.85a1.007 1.007 0 0 0-.115-.1zM12 6.5a5.5 5.5 0 1 1-11 0 5.5 5.5 0 0 1 11 0z"></path>
</svg></span></button>
</form>GET /search-results
<form action="/search-results" method="get" id="mobile-search-form" __bizdiag="113" __biza="WJ__">
<input name="q" id="mobile-search-form-text" type="text" placeholder="Search" aria-label="Search" class="d-block w-100">
<button type="submit"><span class="ac ac-search" aria-hidden="true"><svg xmlns="http://www.w3.org/2000/svg" width="16" height="16" fill="currentColor" viewBox="0 0 16 16">
<path d="M11.742 10.344a6.5 6.5 0 1 0-1.397 1.398h-.001c.03.04.062.078.098.115l3.85 3.85a1 1 0 0 0 1.415-1.414l-3.85-3.85a1.007 1.007 0 0 0-.115-.1zM12 6.5a5.5 5.5 0 1 1-11 0 5.5 5.5 0 0 1 11 0z"></path>
</svg></span></button>
</form>GET /search-results
<form action="/search-results" method="get" id="blog-search-form" __bizdiag="113" __biza="WJ__">
<input name="q" id="blog-search-form-text" type="text" placeholder="Search" aria-label="Search"><button type="submit"><span class="ac ac-search" aria-hidden="true"><svg xmlns="http://www.w3.org/2000/svg" width="16" height="16" fill="currentColor"
viewBox="0 0 16 16">
<path d="M11.742 10.344a6.5 6.5 0 1 0-1.397 1.398h-.001c.03.04.062.078.098.115l3.85 3.85a1 1 0 0 0 1.415-1.414l-3.85-3.85a1.007 1.007 0 0 0-.115-.1zM12 6.5a5.5 5.5 0 1 1-11 0 5.5 5.5 0 0 1 11 0z"></path>
</svg></span></button>
</form>GET /search-results
<form action="/search-results" method="get" id="blog-search-form" __bizdiag="113" __biza="WJ__"><input name="q" id="blog-search-form-text" type="text" placeholder="Search" aria-label="Search"><button type="submit"><span class="ac ac-search"
aria-hidden="true"><svg xmlns="http://www.w3.org/2000/svg" width="16" height="16" fill="currentColor" viewBox="0 0 16 16">
<path d="M11.742 10.344a6.5 6.5 0 1 0-1.397 1.398h-.001c.03.04.062.078.098.115l3.85 3.85a1 1 0 0 0 1.415-1.414l-3.85-3.85a1.007 1.007 0 0 0-.115-.1zM12 6.5a5.5 5.5 0 1 1-11 0 5.5 5.5 0 0 1 11 0z"></path>
</svg></span></button></form>/search-results/blog
<form id="searchbox_002748587151982842036:gharkgtx6cu" action="/search-results/blog" class="sidebar-search">
<input value="002748587151982842036:gharkgtx6cu" name="cx" type="hidden">
<input value="FORID:11" name="cof" type="hidden">
<div class="search-button">
<input value="Search" name="sa" type="submit">
</div>
<div class="search-field">
<input id="q" name="q" type="text" aria-label="Search our blogs" placeholder="Search our blogs">
</div>
</form>Text Content
View all AT&T Business Products ⟶
*
* Blog
* Contact
* Support
Contact us
*
* Products & Services
* Secure your Business Our managed security services team detects cyber
threats early and provide coordinated defences for fast and effective
responses
* Modernize Network Security The next generation of security is here
* Distributed Denial of Service
* Domain Name System
* Firewall
* Cloud Access Security Broker
* Zero-Trust Network Access
* Secure Access Service Edge
* Secure Remote Access
* Secure Remote Gateway
* Enterprise Traffic Protector
* Software-Defined Wide Area Networking
* Web Application and API Protection
* Managed Detection and Response Make security operations more efficient
* Managed Endpoint Security with Sentinel One
* Managed Threat Detection and Response
* Managed Vulnerability Program
* Incident Readiness
* Incident Response
* Extended Detection and Response With the USM Anywhere open XDR platform
* USM Anywhere
* Cybersecurity XDR for MSSPs
* TDR for Government
* AlienApps/Integrations
* Endpoint Management Manage and secure your endpoint devices
* SentinelOne
* Ivanti (MobileIron)
* VMware Workspace ONE®
* IBM MaaS360
* Lookout Mobile Endpoint Security
* McAfee Endpoint Protection
* Samsung Knox
* Mitigate Risk & InnovateOur experienced advisors help you to manage your
environment, identify areas of cyber risk, and protect your critical
assets
* Consulting Services Reduce risk and improve security posture
* Cyber as a Service
* Risk Advisory
* Cyber Operations
* Research Learn critical cybersecurity trends
* Insights Report Hub
* Insights Report Media Coverage
* Insights Report Resources
* Get the latest Insights Report
* Threat Intelligence Unlock timely, tactical threat intelligence
* AT&T Alien Labs
* AT&T Alien Labs Open Threat Exchange
* Solutions
* EnvironmentProtect your environment, address your cyber risks head on
* 5G Advance 5G security solutions for robust defense
5G
Learn more
* Cloud Security Adopt public cloud services safely
CLOUD SECURITY
Learn more
* Mobility and IoT Prepare for security requirements for new technologies
MOBILITY AND IOT
Learn more
* Network Security Manage multiple network access points
NETWORK SECURITY
Learn more
* Remote Workforce Provide highly secure access from any device
REMOTE WORKFORCE
Learn more
* IndustrySecure digital and business transformation
* Financial Services Secure digital transformation in finance
FINANCIAL
Learn more
* Healthcare Protect patient data and reduce threats
HEALTHCARE
Learn more
* Manufacturing Design secure IoT solution for a smarter supply chain
MANFACTURING
Learn more
* Retail Create modern customer experiences without the risk
RETAIL
Learn more
* Security Use CasesLearn how to do better security
* Secure Access Service Edge Improve network performance, lower cost and
complexity
SECURE ACCESS SERVICE EDGE
Learn more
* Secure Web Gateway Filter and inspect outbound user traffic
SECURE WEB GATEWAY
Learn more
* SIEM Platform Solutions Take advantage of an all-in-one solution
SIEM PLATFORM SOLUTIONS
Learn more
* XDR Protect, detect, and respond at scale to threats
XDR
Learn more
* Zero Trust Embed a Zero Trust model to your network architecture
ZERO TRUST
Learn more
* ComplianceAchieve compliance goals faster
* HIPPA Safeguard electronic protected health information
THE PERFECT RX FOR HIPAA COMPLIANCE
Learn more
* PCI DSS Simplify PCI DSS compliance
PCI DSS COMPLIANCE SOLUTIONS
Learn more
* ISO 27001 Secure the global standard for information security
ISO 27001 COMPLIANCE
Learn more
* SOC 2 Streamline your audit process
SOC 2 COMPLIANCE
Learn more
* Partners
* Channel PartnersPowered by our award-winning USM Anywhere platform, our
partner programs help you deliver essential security for customers
* All Partner Programs Why become a channel partner
* MSSP Program Become an AT&T Cybersecurity MSSP
* Reseller Program Become an AT&T Cybersecurity solution provider
* Professional Services Get expert help with your implementation and
optimization
* Partner Portal Login Get access to our private members area
* Technology PartnersWorking with the World's leading security providers, we
provide best-in-class services that ensure better business outcomes for
customers.
* OTX Partners Discover our Open Threat Exchange partners
* Managed Security Partners Learn about our managed security partners
* Resources
* Product ResourcesLearn about our products & services portfolio and
discover how we protect your organization.
* Product Briefs Read about our products & services
Product Brief
NAVIGATING NETWORK SECURITY MODERNIZATION
Learn more
View all Product Briefs
* Solution Briefs Learn about the solutions we offer
Solution Brief
AT&T CYBERSECURITY CONSULTING: INCIDENT READINESS AND RESPONSE (IRR)
SERVICES
Learn more
View all Solution Briefs
* Videos Watch and learn about what we do
video
AT&T CYBERSECURITY TRAINING PORTAL (ACT)
Learn more
View all Videos
* Customer Stories Find out how we solve customer problems
Customer Story
ARCADIS NV
Learn more
View all Customer Stories
* Free Trial Test drive USM Anywhere
* Security ResourcesBroaden your security knowledge to strenghten your cyber
resiliency and mitigate risks.
* Analyst Reports Understand today's security landscape
Analyst Report
FROST & SULLIVAN ANALYST REPORT: SECURE ACCESS SERVICE EDGE GROWTH
OPPORTUNITIES
Learn more
View all Analyst Reports
* Blogs Read the latest coverage on security matters
Blog: Security Essentials
BULLETPROOFING THE RETAIL CLOUD WITH API SECURITY
Learn more
View all Blogs
* eBooks Deep dive into complex security topics
ebook
ZERO TRUST SECURITY
Learn more
View all eBooks
* Webcasts Listen to our team of security experts
webcast
2023 AT&T CYBERSECURITY INSIGHTS REPORT: FOCUS ON TRANSPORTATION
Learn more
View all Webcasts
* White Papers Learn more about cyber solutions
White Paper
NAVIGATING NETWORK SECURITY MODERNIZATION
Learn more
View all White Papers
* Customer ResourcesDoing business with us? Access critical customer
information at the touch of a button.
* Support Overview Access area for all support queries
* Success Center Find answers to USM questions
* Certification Become security certified
* Documentation Discover technical support documentation
* Training Get expert instruction and hands-on practice
PRODUCT RESOURCES
* Customer Stories
* Product Briefs
* Solution Briefs
* Use Cases
* Free Trial
SECURITY RESOURCES
* Analyst Reports
* Blogs
* eBooks
* Videos
* Webcasts
* White Papers
CUSTOMER RESOURCES
* Success Center
* Certification
* Customer Success
* Documentation
* Professional Services
* Support Overview
* Training
BROWSE BY TOPIC
* Incident Response
* Intrusion Detection
* Partner: MSSP & Reseller
* Regulatory Compliance
* Security Operations Center
* SIEM & Log Management
* Threat Detection
* Threat Intelligence
* AT&T Alien Labs
* Contact
* Support
Get price
* Products & Services
* Solutions
* Partners
* Resources
*
Back
Secure your Business
* Modernize Network Security
* Managed Detection and Response
* Extended Detection and Response
* Endpoint Management
Mitigate Risk & Innovate
* Consulting Services
* Research
* Threat Intelligence
Back to Products & Services
Modernize Network Security
* Distributed Denial of Service
* Domain Name System
* Firewall
* Cloud Access Security Broker
* Zero-Trust Network Access
* Secure Access Service Edge
* Secure Remote Access
* Secure Remote Gateway
* Enterprise Traffic Protector
* Software-Defined Wide Area Networking
* Web Application and API Protection
Back to Products & Services
Managed Detection and Response
* Managed Endpoint Security with Sentinel One
* Managed Threat Detection and Response
* Managed Vulnerability Program
* Incident Readiness
* Incident Response
Back to Products & Services
Extended Detection and Response
* USM Anywhere
* Cybersecurity XDR for MSSPs
* TDR for Government
* AlienApps/Integrations
Back to Products & Services
Endpoint Management
* SentinelOne
* Ivanti (MobileIron)
* VMware Workspace ONE®
* IBM MaaS360
* Lookout Mobile Endpoint Security
* McAfee Endpoint Protection
* Samsung Knox
Back to Products & Services
Consulting Services
* Cyber as a Service
* Risk Advisory
* Cyber Operations
Back to Products & Services
Research
* Insights Report Hub
* Insights Report Media Coverage
* Insights Report Resources
* Get the latest Insights Report
Back to Products & Services
Consulting Services
* AT&T Alien Labs
* AT&T Alien Labs Open Threat Exchange
Back
Environment
* 5G
* Cloud Security
* Mobility and IoT
* Network Security
* Remote Workforce
Industry
* Financial Services
* Healthcare
* Manufacturing
* Retail
Security Use Cases
* Secure Access Service Edge
* Secure Web Gateway
* SIEM Platform Solutions
* XDR
* Zero Trust
Compliance
* HIPPA
* PCI DSS
* ISO 27001
* SOC 2
Back
Channel Partners
* All Partner Programs
* MSSP Program
* Reseller Program
* Professional Services
* Partner Portal Login
Technology Partners
* OTX Partners
* Managed Security Partners
Back
Product Resources
* Product Briefs
* Solution Briefs
* Videos
* Customer Stories
* Free Trial
Security Resources
* Analyst Reports
* Blogs
* eBooks
* Webcasts
* White Papers
Customer Resources
* Support Overview
* Success Center
* Certification
* Documentation
* Training
* Categories:
* All blogs
* Security essentials
* AT&T Alien Labs research
Categories
* All blogs
* Security essentials
* AT&T Alien Labs research
*
1. AT&T Cybersecurity
2. Blog
DARKGATE MALWARE DELIVERED VIA MICROSOFT TEAMS - DETECTION AND RESPONSE
January 30, 2024 | Peter Boyle
EXECUTIVE SUMMARY
While most end users are well-acquainted with the dangers of traditional
phishing attacks, such as those delivered via email or other media, a large
proportion are likely unaware that Microsoft Teams chats could be a phishing
vector. Most Teams activity is intra-organizational, but Microsoft enables
External Access by default, which allows members of one organization to add
users outside the organization to their Teams chats. Perhaps predictably, this
feature has provided malicious actors a new avenue by which to exploit untrained
or unaware users.
In a recent example, an AT&T Cybersecurity Managed Detection and Response (MDR)
customer proactively reached out with concerns about a user who was external to
their domain sending an unsolicited Teams chat to several internal members. The
chat was suspected to be a phishing lure. The customer provided the username of
the external user as well as the IDs of multiple users who were confirmed to
have accepted the message.
With this information, the AT&T Cybersecurity MDR SOC team was able to identify
the targeted users, as well as suspicious file downloads initiated by some of
them. A review of the tactics and indicators of compromise (IOCs) utilized by
the attacker showed them to be associated with DarkGate malware, and the MDR SOC
team was able to head off the attack before any significant damage was done.
INVESTIGATION
INITIAL EVENT REVIEW
INDICATORS OF COMPROMISE
The customer provided the below screenshot (Image 1) of the message that was
received by one of their users and which was suspected to be a phishing lure. An
important detail to note here is the “.onmicrosoft.com” domain name. This
domain, by all appearances, is authentic and most users would probably assume
that it is legitimate. OSINT research on the domain also shows no reports for
suspicious activity, leading the MDR SOC team to believe the username (and
possibly the entire domain) was likely compromised by the attackers prior to
being used to launch the phishing attack.
Image 1: Screenshot from customer of received message
EXPANDED INVESTIGATION
EVENTS SEARCH
Performing a search of the external username in the customer’s environment led
the MDR team to over 1,000 “MessageSent” Teams events that were generated by the
user. Although these events did not include the IDs of the recipients, they did
include the external user’s tenant ID, as displayed in Image 2 below.
Image 2: Event log showing external user tenant ID
A Microsoft 365 tenant ID is a globally unique identifier assigned to an
organization. It is what allows members of different companies to communicate
with one another via Teams. As long as both members of a chat have valid tenant
IDs, and External Access is enabled, they can exchange messages. With this in
mind, the MDR SOC team was able to query events that contained the external
user’s tenant ID and found multiple “MemberAdded” events, which are generated
when a user joins a chat in Teams.
Image 3: “MemberAdded” event
These events include the victim’s user ID, but not the external user ID. In
addition to the external tenant ID, the MDR SOC team was able to positively link
these “MemberAdded” events back to the attacker via the “ChatThreadId” field,
which was also present in the original “MessageSent” events. The customer was
provided with a list of users who accepted the external chat and was then able
to begin identifying potentially compromised assets and accounts for
remediation.
EVENT DEEP-DIVE
The MDR SOC team continued to drill down on the phished users to determine the
precise nature of the attack. They subsequently discovered three users who had
downloaded a suspicious double extension file. The file was titled “Navigating
Future Changes October 2023.pdf.msi” (Image 4).
Image 4: Suspicious double extension file download
Double extension files are commonly used by attackers to trick users into
downloading malicious executables, as the second extension, .msi in this case,
is usually hidden by the filesystem. The user believes they are downloading a
PDF for business use, but instead receives a malicious installer.
The MDR SOC team was able to provide the filename and associated hashes to the
customer who in turn passed that information onto their endpoint detection and
response (EDR) provider so the file could be added to the blocklist. The
information about the file downloads also enabled the customer to begin
identifying affected assets for isolation and remediation.
REVIEWING FOR ADDITIONAL INDICATORS
The customer later provided the malicious file to the MDR SOC team for further
analysis. Upon detonation in a sandbox, the file attempted to beacon out to the
domain hgfdytrywq[.]com, which is a confirmed DarkGate command-and-control (C2)
domain, according to Palo Alto Networks
(https://github.com/PaloAltoNetworks/Unit42-timely-threat-intel/blob/main/2023-10-12-IOCs-for-DarkGate-from-Teams-chat.txt).
The filename is also very similar to the files listed by Palo Alto Networks and
the double-extension file is a known DarkGate tactic.
REMEDIATION
The MDR SOC provided the customer with a list of users who had received the
message, users who were confirmed to have accepted the message, and users who
were identified as having initiated a download of the malicious .msi file. The
customer used this information to initiate password resets for the affected
users and to determine which assets were infected so that they could be isolated
and rolled back to a clean state. The DarkGate file hashes and paths were
blocklisted by the customer’s EDR solution and the C2 domain was blocked. The
customer was also advised to consider disabling Teams External Access unless it
was necessary for business use.
RECOMMENDATIONS
Email phishing attacks have long been a threat to organizations, and they will
continue to be, but phishing via Microsoft Teams is a relatively new phenomenon.
This attack vector is a reminder of the need for constant vigilance and user
training in the face of evolving threats.
Unless absolutely necessary for daily business use, disabling External Access in
Microsoft Teams is advisable for most companies, as email is generally a more
secure and more closely monitored communication channel. As always, end users
should be trained to pay attention to where unsolicited messages are coming from
and should be reminded that phishing can take many forms, beyond the typical
email. Not everyone is on the same team!
SHARE THIS WITH OTHERS
Tags: malware research, stories from the soc, microsoft teams, darkgate
FEATURED RESOURCES
Infographic
2023 AT&T Cybersecurity Insights Report Infographic: Focus on Finance
Learn more
Infographic
2023 AT&T Cybersecurity Insights Report Infographic: Focus on Manufacturing
Learn more
Get price Free trial
From the Blog
DEVIN PARTIDA
Jan 31, 2024
BULLETPROOFING THE RETAIL CLOUD WITH API SECURITY
Explore All Blog Posts ›
Twitter LinkedIn Youtube
Who We Are
* Alien Labs
* Careers
* Contact Us
News
* Newsroom
* Events
* Blogs
Partners
* Partner Programs
* Partner Portal
Products
* AT&T Managed Threat Detection and Response
* USM Anywhere
* XDR for MSSPs
* Open Threat Exchange (OTX)
* OSSIM
Solutions
* Cloud Security Monitoring
* Threat Detection
* Intrusion Detection
* SIEM platform solutions
* Vulnerability Assessment
Resources
* Resources
* Blogs
* Customer Reference Guide
Customer Success
* Support & Services
* Success Center
* Documentation Center
* Training
* Certification
Contact us
© Copyright 2024
* Privacy Policy
* Website Terms of Use
* GDPR
* Cookie Policy
* Your Privacy Choices
We use cookies to provide you with a great user experience. By using our
website, you agree to our Privacy Policy and Website Terms of Use.