If anyone else is trying to do any #threathunting on this article, I have found several related incidents where the lnk file just runs a vbs script in the zip file instead, and some using msiexec instead of autoit. I've had success searching on copying curl from system32.

The search looks for a cmd.exe process with copy followed by a system32 path to an executable.

https://www.truesec.com/hub/blog/darkgate-loader-delivered-via-teams

#DarkGateLoader

"🚨 DarkGate Loader Strikes via Microsoft Teams! 🚨"

Malspam campaigns involving DarkGate Loader have surged since its debut as a Malware-as-a-Service on cybercrime forums in June 2023. Previously delivered via email campaigns akin to Emotet, a twist emerged in August when an operator began exploiting Microsoft Teams. The malware was cunningly dispatched through HR-themed social engineering chat messages. 📩💼

Truesec's Cybersecurity Incident Response Team discovered that on August 29, compromised external Office 365 accounts were used to send Microsoft Teams chat messages. These messages cunningly persuaded recipients to download a malicious file. The senders, identified as “Akkaravit Tattamanas” and “ABNER DAVID RIVERA ROJAS”, had their accounts compromised and subsequently sold on the Dark Web. 🌐🔓

The malware, disguised as a file named “Changes to the vacation schedule.zip”, was later identified by Microsoft Defender as “BAT/Tisifi.A#”. A deep dive into the malware revealed its final payload as the DarkGate Loader. 📁🔥

For a comprehensive understanding of the DarkGate Loader and its capabilities, check out these articles:

• Deutsche Telekom CERT on DarkGate Loader
• DarkGate Campaign Analysis

To defend against such attacks, it's crucial to enhance security awareness and consider restricting Microsoft Teams chat requests to specific external domains. 🛡️🚫

Source: Truesec Blog

Tags: #DarkGateLoader #Malware #MicrosoftTeams #CyberSecurity #Malspam #SocialEngineering #Truesec 🌍🔒🖥️