Threat Research

Title: DarkGate Loader delivered via Teams – Truesec

Securonix

DarkGateLoader was delivered through a Microsoft Teams social-engineering campaign that used compromised external accounts to share a ZIP file hosted on SharePoint. The attack chain includes a masquerading LNK file, VBScript, AutoIt, and memory-loaded shellcode that culminates in the DarkGate malware, with defenders noting it was detected by Microsoft Defender. #DarkGateLoader #DarkGate #AkkaravitTattamanas #ABNERDAVIDRIVERAROJAS #SharePoint #MicrosoftTeams

Keypoints

  • The senders of external Teams messages were identified as compromised accounts used to push the malicious link.
  • A HR-themed social engineering lure led victims to an externally hosted ZIP file titled “Changes to the vacation schedule.zip.”
  • The ZIP contained a malicious LNK file masquerading as a PDF (Changes to the vacation schedule.pdf.lnk) to trigger the chain.
  • Opening the LNK leads to a VBScript execution that downloads and runs a remote payload from a C2 server (5.188.87.58:2351).
  • The download chain uses Windows curl (renamed wbza) to fetch AutoIt3.exe and eszexz.au3, with the AutoIt script hiding code and checking for Sophos before execution.
  • The payload is DarkGateLoader; memory-loaded shellcode is dropped and reconstructed via stacked strings, with configuration extracted from the AutoIt script.

MITRE Techniques

  • [T1566.002] Phishing: Spearphishing Link – The HR-themed lure used a link to an externally hosted file: “Both senders had an identical-sounding message with a link to an externally hosted file, ‘Changes to the vacation schedule.zip’ (hosted on the senders SharePoint sites.)”
  • [T1023] LNK – The ZIP contains a malicious LNK file posing as a PDF document: “The ZIP file contains a malicious LNK file (shortcut) posing as a PDF document: ‘Changes to the vacation schedule.pdf.lnk.’”
  • [T1059.005] VBScript – VBScript file in C:tgphasrxmp.vbs triggers the download and execution of a remote payload: “The execution of the VBScript file in C:tgphasrxmp.vbs triggers the download and execution of the file hXXp:// 5[.]188[.]87[.]58:2351/wbzadczl”
  • [T1105] Ingress Tool Transfer – The VBScript chain downloads AutoIt3.exe and eszexz.au3 using a Windows curl: “The commands make use of a Windows version of cURL (renamed to wbza) to download and execute Autoit3.exe and the bundled script eszexz.au3.”
  • [T1562.001] Impair Defenses – The AutoIt script checks for Sophos antivirus and only proceeds if not installed: “before execution, it makes a check to see if Sophos antivirus is installed.”
  • [T1027] Obfuscated/Compressed Files and Information – The AutoIT script hides code in the middle of the file using magic bytes AU3!EA06: “The pre-compiled AutoIT script hides the code in the middle of the file by looking for the magic bytes 0x4155332145413036 (AU3!EA06).”
  • [T1059.001] Command and Scripting Interpreter (general) / [T1071.001] Web Protocols – The payload communicates and/or retrieves components from a remote C2 over HTTP: “C2 Server: http://5[.]188[.]87[.]58:2351”

Indicators of Compromise

  • [Filename] context – Changes to the vacation schedule.zip, Changes to the vacation schedule.pdf.lnk, c:tgphasrxmp.vbs, c:wbzaeszexz.au3
  • [SHA256 Hash] context – 0c59f568da43731e3212b6461978e960644be386212cc448a715dbf3f489d758, bcd449470626f4f34a15be00812f850c5e032723e35776fb4b9be6c7be6c8913
  • [IPs/ C2] context – 5.188.87.58:2351, and 5[.]188[.]87[.]58:2351 (msiwbzadczl)
  • [URLs] context – hXXps://burapha-my[.]sharepoint[.]com/:u:/g/personal/63090101_my_buu_ac_th/EWkB0l3nR4dCjDmwAe7jb7kBWPPkDObt8wVbmB1O6UztmA, hXXps://unadvirtualedu-my[.]sharepoint[.]com/personal/adriverar_unadvirtual_edu_co/Documents/Microsoft%20Teams%20Chat%20Files/Changes%20to%20the%20vacation%20schedule.zip
  • [Emails] context – [email protected], [email protected]

Read more: https://www.truesec.com/hub/blog/darkgate-loader-delivered-via-teams