Title: DarkGate Loader delivered via Teams – Truesec

Investigating the Senders

Using Microsoft Purview’s eDiscovery tool we searched for the senders (participants) in Microsoft Teams.

The senders of the external Microsoft Teams chat messages were identified as “Akkaravit Tattamanas” (63090101@my.buu.ac.th) and “ABNER DAVID RIVERA ROJAS” (adriverar@unadvirtual.edu.co). Truesec Threat Intelligence confirmed the accounts were compromised via an unknown malware and put up for sale on the Dark Web in August 2023.

Using AADInternal’s OSINT tool, we could gather more information on the O365 tenant to which the accounts belong and use the listed domains to search for additional messages.

Figure 1: Screenshot from AADInternal’s OSINT tool with the sender’s O356 tenant details.

HR-Themed Social Engineering Lure

Both senders had an identical-sounding message with a link to an externally hosted file, “Changes to the vacation schedule.zip” (hosted on the senders SharePoint sites).

Figure 2: Screenshot of one of the MS Teams chat messages.

The SharePoint URLs hosting the remote attachment can be seen in the figure below.

Figure 3: URLs to the SharePoint sites hosting the remote ZIP file.

Downloading the Malware

Clicking the URL would take the victim to the SharePoint sites where the file “Changes to the vacation schedule.zip” could be downloaded.

Figure 4: Screenshot of a SharePoint site hosting the file “Changes to the vacation schedule.zip.”

The file was later identified by Microsoft Defender as malware “BAT/Tisifi.A#”.

Figure 5: Screenshot of MS Defender detecting the file as malicious.

Analyzing the Malicious Files

Using a combination of static and dynamic malware analysis our goal was to identify the final payload delivered in the campaign.

The ZIP file contains a malicious LNK file (shortcut) posing as a PDF document: “Changes to the vacation schedule.pdf.lnk.”

Figure 6: Screenshot of the extracted LNK file as shown in File Explorer.

Using Eric Zimmerman’s “LECmd.exe” to analyze the malicious LNK file, we can extract the command line it would execute upon opening.

Figure 7: Screenshot of the command executed after opening the LNK file.

The execution of the VBScript file in C:tgphasrxmp.vbs triggers the download and execution of the file hXXp:// 5[.]188[.]87[.]58:2351/wbzadczl

Figure 8: Wireshark trace of the VBScript file download.

The commands make use of a Windows version of cURL (renamed to wbza) to download and execute Autoit3.exe and the bundled script eszexz.au3. The pre-compiled AutoIT script hides the code in the middle of the file by looking for the magic bytes 0x4155332145413036 (AU3!EA06).

Figure 9: Screenshot of the bundled AutoIT script file.

Upon executing the script, AutoIT drops a new file that contains shellcode, and before execution, it makes a check to see if Sophos antivirus is installed.

Figure 10: The deobfuscated AutoIT script showing a check for Sophos antivirus.

If Sophos is not installed, additional code in the AutoIT script is deobfuscated to launch the shellcode.

Figure 11: Screenshot of AutoIT shellcode execution.

When the shellcode is run, the first thing it does is load “byte by byte.” This technique is called stacked strings, to create a new file. It can be seen in the figure below that the first bytes of the created file are 0x4d and 0x5a, which indicates a Windows executable.

Figure 12: Screenshot from Ghidra showing the shellcode’s use of stack strings to load a new Windows executable.

The payload could then be extracted from memory and analyzed with PE Studio from www.winitor.com:

Figure 13: Screenshot from PE Studio showing technical details about the payload.

The payload was identified as “DarkGateLoader” on VirusTotal. After the identification of the malware, we found an excellent writeup from Deutsche Telekom CERT and used their config extractor on the AutoIT script file “eszexz.au3” to extract the DarkGate malware’s configuration:

Figure 14: Configuration extracted from the DarkGate malware.

Further reading on the DarkGate Loader and DarkGate malware capabilities:




This attack was detected due to the security awareness training of the recipients. Unfortunately, current Microsoft Teams security features such as Safe Attachments or Safe Links was not able to detect or block this attack. Right now, the only way to prevent this attack vector within Microsoft Teams is to only allow Microsoft Teams chat requests from specific external domains, albeit it might have business implications since all trusted external domains need to be whitelisted by an IT administrator.
More on how these settings can be activated and used can be found here:

Indicators of Compromise


SHA256 Hash

Changes to the vacation schedule.zip


Changes to the vacation schedule.pdf.lnk






A similar file with the same filename, “Changes to the vacation schedule.zip,” and behavior (but with a different hash) is available on VirusTotal: https://www.virustotal.com/gui/file/09904d65e59f3fbbbf38932ae7bff9681ac73b0e30b8651ec567f7032a94234f.





hXXp:// 5[.]188[.]87[.]58:2351/msiwbzadczl

Command & Control Server


Compromised Email Addresses



Source: https://www.truesec.com/hub/blog/darkgate-loader-delivered-via-teams