Welcome to our September 2023 catches of the month feature, which examines recent phishing scams and the tactics criminals use to trick people into compromising their data.
Following last month’s news that Microsoft was the most impersonated brand in phishing scams in Q2 2023 – which is hardly surprising given its popularity – this month we discuss three more Microsoft-based scams: two involving Teams and one exploiting Word.
Storm-0324 malware distributor targets victims via Teams
Microsoft reports that a threat actor identified as Storm-0324, who has been associated with email phishing campaigns since at least 2016, has been sending phishing lures via Teams since July 2023.
Microsoft did not set out Storm-0324’s aim in this campaign, but the group is known to have worked with numerous malware groups to distribute malicious payloads including the Trickbot malware, Gootkit and Dridex banking Trojans, and Sage and GandCrab ransomware.
More recently, it has mainly distributed the JSSLoader malware for the Sangria Tempest group. Storm-0324’s phishing lures “typically reference invoices and payments, mimicking services such as DocuSign, Quickbooks, and others”.
According to Microsoft, Storm-0324’s latest campaign has likely used a tool called TeamsPhisher, which “enables Teams tenant users to attach files to messages sent to external tenants, which can be abused […] to deliver phishing attachments”.
This vulnerability was identified by Max Corbridge and Tom Ellson of JUMPSEC in June. They found that, although Microsoft’s default configuration allows users from outside an organisation to message their staff members but not send files, certain security controls are implemented client-side and are relatively straightforward to bypass by “using a traditional IDOR technique of switching the internal and external recipient ID on the POST request”.
So, if an attacker uses a social engineering pretext to trick the staff member, for instance by impersonating a colleague, they can then send malicious files that stand a good chance of being opened.
“When sending the payload like this,” Corbridge explains, “it is actually hosted on a Sharepoint domain and the target downloads it from there. It appears, however, in the target inbox as a file, not a link.”
Corbridge reported the vulnerability to Microsoft, which “validated that the vulnerability is legitimate, but said that it ‘did not meet the bar for immediate servicing’”.
In its blog about Storm-0324, Microsoft says it has “suspended identified accounts and tenants associated with inauthentic or fraudulent behavior” as well as rolled out security enhancements on Teams to identify threat actors like Storm-0324 as “EXTERNAL” users – if organisations’ security settings allow external users to message their staff, that is.
DarkGate Loader malware delivered via Microsoft Teams attachment
Researchers at Truesec have discovered a similar Teams-based phishing campaign, which delivers the DarkGate Loader malware via messages ostensibly about changes to staff holidays.
Truesec found that Teams messages containing a malicious ZIP file were being sent from two compromised Teams accounts: “Akkaravit Tattamanas” (63090101@my.buu.ac.th) and “ABNER DAVID RIVERA ROJAS” (adriverar@unadvirtual.edu.co).
The ZIP file, titled “Changes to the vacation schedule”, contains a malicious link masquerading as a PDF document hosted on a SharePoint site. Once downloaded, the file leads to a script being executed that, after a number of steps, installs a malware payload identified as DarkGate Loader, which is usually distributed via malicious emails.
Source: Truesec
According to Telekom Security, DarkGate Loader’s developer, who goes by the name RastaFarEye, has been developing the malware since 2017 and has been advertising it as a malware-as-a-service model since 16 June 2023. RastaFarEye “advertises DarkGate as the ‘ultimate tool for pentesters/redteamers’ and that it has ‘features that you won’t find anywhere’” and claims that it “is completely undetected by common AV products”.
Malwarebytes reports that, once installed, DarkGate Loader can be used for many nefarious purposes, including “remote access, cryptocurrency mining, keylogging, clipboard stealing, and information stealing”.
Truesec reports that “current Microsoft Teams security features such as Safe Attachments or Safe Links was not able to detect or block this attack”.
The lesson to be learned from both this and the Storm-0324 campaign is that it’s a sensible precaution to remove the option for external accounts to message your staff members, or whitelist a select number of trusted domains, and to train your staff about phishing and other social engineering attacks.
RedLine Clipper, Agent Tesla and OriginBotnet malware spread via malicious Word docs
Fortinet has discovered a phishing campaign that distributes malware via Word documents that contain a malicious link.
According to Fortinet, the document is sent as an attachment, which is presented as “a deliberately blurred image and a counterfeit reCAPTCHA”.
Clicking it leads to the victim downloading malware including OriginBotnet, RedLine Clipper and AgentTesla.
Source: Fortinet
- OriginBotnet “has a range of capabilities, including collecting sensitive data, establishing communications with its C2 [command and control] server, and downloading additional files from the server to execute keylogging or password recovery functions on compromised devices”.
- RedLine Clipper, also known as ClipBanker, is a cryptocurrency stealer that relies on the fact that, because crypto wallet addresses are so complex, users typically copy and paste them during transactions. It manipulates “the user’s system clipboard activities to substitute the destination wallet address with one belonging to the attacker” and works with “Bitcoin, Ethereum, Dogecoin, Litecoin, Dashcoin, and Monero”.
- AgentTesla is a keylogger that can “log keystrokes, access the host’s clipboard, and conduct disk scans to uncover credentials and other valuable data”.
According to Fortinet, “The attack demonstrated sophisticated techniques to evade detection and maintain persistence on compromised systems.”
The group responsible for the attacks is not known.
Can you spot a scam?
All organisations are vulnerable to phishing, no matter their size or sector, so it’s essential to understand how you might be targeted and what you can do to prevent a breach.
You can help educate your staff with IT Governance’s Phishing Staff Awareness Training Programme.
This 45-minute course uses real-world examples like the ones we’ve discussed here to explain how phishing attacks work, the tactics that cyber criminals use and how you can detect malicious emails.
