Microsoft Teams Fake Meetings Used for DarkGate Loader Malware Campaign

The attackers are using fake meeting notifications to lure users into downloading a malicious document.


A recent has been discovered exploiting Microsoft Teams to distribute the DarkGate malware. As reported by TrueSec, the attackers are using fake meeting notifications to lure users into downloading a malicious document. Once the document is opened, it triggers the download of the DarkGate malware.

Telekom Security Sheds Light on DarkGate

Telekom Security CTI's analysis reveals that the malware campaign was initially misattributed to Emotet due to a false positive match. However, further examination confirmed its association with the DarkGate malware family. The malware uses AutoIt scripts for its initial infection routine and communicates with a C2 protocol similar to previous versions of DarkGate.

Infection Chain Details

Victims receive a message containing a link. Clicking on this link, which likely points to a traffic distribution system (TDS), leads the victim to the final payload URL for an MSI download. Opening the downloaded MSI file initiates the DarkGate infection. In another observed campaign, the initial payload was delivered as a Visual Basic script. This script, after several obfuscation layers, uses the curl binary in Windows to download the AutoIt executable and script file from an attacker-controlled server.

DarkGate's Capabilities

The malware is equipped with various features, including persistence mechanisms, privilege escalation, defense evasion techniques, and credential access. It can detect and evade common sandbox and virtual machine (VM) solutions, check for well-known Antivirus products, and even masquerade its presence by injecting itself into legitimate Windows processes. Additionally, it can steal data from various programs, ranging from to software like Discord and FileZilla.

The Actor Behind DarkGate

A user named RastaFarEye has been promoting DarkGate Loader on cybercrime forums since June 16, 2023. This individual claims to have invested over 20,000 hours since 2017 in the malware's development. The actor offers various pricing models for the malware and limits its access to a maximum of 10 affiliates to maintain its exclusivity. Despite primarily communicating in English, there are indications that the actor might be familiar with Russian and Spanish, suggesting a diverse linguistic background.