The incident involved attackers employing social engineering via a Microsoft Teams call to impersonate a user’s client and gain remote access to the system. The attackers failed to install a Microsoft Remote Support application but successfully instructed the victim to download AnyDesk, a commonly used tool for remote access. Once the attacker gained access to the machine, they dropped multiple suspicious files.
One of these files was detected as Trojan.AutoIt.DARKGATE.D. Commands executed by Autoit3.exe led to a connection with a potential command-and-control server and the subsequent download of a malicious payload. Persistent files and registry entries were created on the victim’s machine. However, the attack was thwarted before any data could be exfiltrated.
A recent incident observed an attacker posing as an employee of a known client and targeting a user via a Microsoft Teams call. The user was instructed to download the remote desktop application AnyDesk, which then facilitated the deployment of DarkGate malware. Distributed via an AutoIt script, DarkGate enabled remote control over the user’s machine, executed malicious commands, gathered system information, and connected to a command-and-control server.
The victim first received thousands of emails.
Exploiting remote access tools
Subsequently, she received a Microsoft Teams call from someone claiming to be an employee of an external supplier.
During the call, the victim was instructed to download the Microsoft Remote Support application, but the installation via the Microsoft Store failed. The attacker then instructed the victim to download AnyDesk from its official site via a browser and manipulated her into entering her credentials. Moments after downloading, AnyDesk.exe was executed with the command:
“C:\Users\\Downloads\AnyDesk.exe” –local-service
This command runs AnyDesk as a local service, allowing it to operate with elevated privileges.
The breach, carried out in several stages, underscores the critical need for robust security measures and heightened awareness against social engineering attacks. Organizations must ensure employees are well-trained to recognize and respond appropriately to unexpected technical support requests, especially those involving installation of remote access tools. Effective defenses include:
– Implementing multi-factor authentication.
– Conducting regular security awareness training. – Utilizing endpoint detection and response (EDR) tools to monitor and mitigate such attacks. The incident emphasizes the importance of vigilance and robust cybersecurity practices in defending against sophisticated social engineering tactics and malware intrusions.
