Remote access exploited in latest DarkGate malware campaign

A new cyberattack campaign has surfaced, leveraging social engineering techniques through Microsoft Teams to deploy the DarkGate malware.

According to researchers, the attackers posed as clients during Microsoft Teams calls to gain the trust of their targets and establish remote access to their systems. Although an attempt to install a Microsoft Remote Support application failed, the attackers succeeded in persuading victims to download AnyDesk, a widely used remote access tool.

 

Once AnyDesk was installed, the attackers exploited the access to deliver various malicious payloads, including a credential stealer and the DarkGate malware.

 

This malware, which has been active since 2018, operates as a RAT and has evolved into a malware-as-a-service (MaaS) offering. Known for its limited but targeted clientele, DarkGate possesses capabilities such as stealing credentials, logging keystrokes, capturing screens, recording audio, and granting attackers full remote access to victim devices.

Separate researchers recently reported that the attackers initially inundated their target’s email inbox with thousands of emails before engaging them on Microsoft Teams. Masquerading as representatives of external suppliers, they convinced their victims to install AnyDesk, setting the stage for malware deployment. In this case, DarkGate malware was executed using an AutoIt script, demonstrating the attackers’ preference for diverse malware distribution methods.

Though the attack in question was thwarted before any data theft occurred, the incident highlights the ever-evolving tactics of cybercriminals in spreading malware. Organisations are advised to take precautionary measures, such as enabling multi-factor authentication, restricting the use of unapproved remote access tools, blocking unverified applications, and thoroughly vetting third-party support providers to mitigate risks associated with social engineering and phishing.

This attack is part of a broader surge in phishing campaigns targeting individuals and organisations. Tactics include impersonating popular brands to approach YouTube content creators with fake promotions, using phishing emails with QR code-laden PDFs to harvest Microsoft 365 credentials, and hosting counterfeit websites on Cloudflare to trick users into sharing sensitive information. Other campaigns use HTML email attachments embedded with malicious scripts or exploit trusted platforms like DocuSign and Adobe InDesign to distribute phishing links.

Cybercriminals have also shown a tendency to capitalise on major global events, registering deceptive domains with event-specific keywords to exploit public interest.

By monitoring domain registrations, textual patterns, and DNS anomalies, security teams can proactively identify and neutralise potential threats. These incidents demonstrate how important it is to remain vigilant because attackers are always changing their tactics to trick victims.