Open Forum

All Communities
 View Only
Back to discussions
Expand all | Collapse all

Security BUZZ - hackers are using Microsoft Teams and SharePoint to spread dangerous malware

  • 1.  Security BUZZ - hackers are using Microsoft Teams and SharePoint to spread dangerous malware

    Posted 11-10-2023 09:08

    If you use Microsoft Teams or SharePoint, you should be extra careful about the links and files you open. A new attack campaign has been discovered that uses these platforms to deliver malware named DarkGate, which can steal your data, spy on your activities, and even encrypt your files for ransom. DarkGate is a multifaceted malware. It is also challenging to detect and remove, as it uses multiple layers of obfuscation and encryption. 

    The infection starts with a fake invoice email that contains a PDF document. The PDF document looks like a DocuSign template and asks you to open a document to review. If you click on the document, you will download a CAB file, which is a compressed archive file. The CAB file contains an internet shortcut that will download another file, an MSI file, or a Windows installer file. Running the MSI file will start a chain of loading mechanisms that will eventually execute the malware. 

    When installed, the malware allows the attacker to control the victim's computer remotely without you noticing. Keylogging functionality will record the victim's keystrokes, which can reveal passwords and other sensitive information. Information stealer will collect the victim's personal and financial data, such as credit card numbers and bank accounts. 

    Takeaways:

    • Hackers abuse legitimate services to mimic well-known platforms
    • Check the sender email/domain to match the content of the message (i.e., Docusign, SharePoint Online)
    • Pay attention to the page's design and the buttons' location. [In this case, the Docusign page had a message: "Page cannot be displayed. File is corrupted or damaged". Down below was a "view" button to retrieve the file.] Any deviations should raise a red flag
    • You don't need to install anything to open a PDF or sign a document via DocuSign. Any offer to install anything is a red flag. 
    • This particular case results from the installation of multiple files chained together but essentially initiated by the user (you). If your computer starts to act, opening multiple windows or flashing screens, shut it down immediately and notify your security team

    #ALTACyber



    ------------------------------
    Genady Vishnevetsky
    Chief Info Security Officer
    Stewart Title Guaranty Company
    Houston TX
    ------------------------------
    ALTA Marketplace