CTI Roundup: DarkGate Malware Spreads on MS Teams, Phishing Rises on Telegram

In this week’s roundup, CTI explores a case concerning an external user sending unsolicited Microsoft Teams chats to several employees. Next, CTI investigates a Guardio Labs report on how the phishing ecosystem has evolved to be democratized. Finally, CTI wraps up with a look at a ransomware group known as BianLian which has remained in the top 10 most active groups based on collected leak site data.

1. DarkGate malware spreads via Teams group chats

AT&T’s Cybersecurity Managed Detection and Response (MDR) team recently worked with one of their customers concerning an external user sending unsolicited Microsoft Teams chats to several of their employees.

AT&T determined that the threat actor was associated with DarkGate malware and was looking to push malware to members of the organization via Teams group chats.

The initial event

AT&T’s investigation began when their customer provided a screenshot of an external entity inviting them to a group chat on Microsoft Teams that they believed to be phishing.

The sender’s domain was “.onmicrosoft[.]com” which could appear legitimate to some users at first glance. AT&T’s research on this domain did not turn up any reports of suspicious activity. As a result, it’s likely that the username and/or the entire domain was compromised before the attack.

The investigation

AT&T performed a search for the external username within their customer’s environment and found over 1,000 “MessageSent” events in Microsoft Teams that were generated by this username. While the events did not include the IDs of the recipients it did include the tenant ID of the external user.

From here, they chose to look specifically at “MemberAdded” events to find how many users joined a chat with this user. AT&T was able to identify three users who entered a chat with this user and downloaded a double extension file named “Navigating Future Changes October 2023.pdf.msi.”

AT&T obtained the associated hashes and passed these to the customer for blocking. After detonating the malicious file in a sandbox environment, they were able to observe it reaching out to a domain that had been previously associated with DarkGate C2 activity.

Recommendation action

To prevent these types of attacks from impacting operations, AT&T suggests disabling External Access within Microsoft Teams unless it is necessary for day-to-day business.

Analyst comments from Tanium’s Cyber Threat Intelligence team

This attack is so simple, yet so effective, it’s no wonder we’ve seen hackers use Microsoft Teams to spread DarkGate before. There is no complex custom malware or longwinded means of access. It simply relies on social engineering and takes advantage of the level of trust employees have with their internal communication platform.

If anything, this attack is a reminder that phishing and social engineering does not solely happen via email and that we should be vigilant across all platforms.

2. Telegram marketplaces contribute to phishing attacks

Researchers at Guardio Labs recently reported on how the phishing ecosystem has evolved to be democratized.

This evolution is largely due to Telegram and how the platform enables cybercriminals to easily obtain what is needed for an attack — a task that was previously only available to those on the dark web and behind Tor Onion networks.

Telegram’s phishing markets

Guardio Labs took a deep dive into the Telegram phishing ecosystem and reconstructed a malicious campaign for only $230 to show just how simple it is.

Because Telegram hosts many public channels and groups, a simple search is all that’s needed for a cybercriminal to get started, which is exactly the type of phishing scam perpetrated by North Korean groups – also via Telegram – that we reported on last year.

Finding a phishing site

Guardio Labs began by searching Telegram for scam pages or phishing pages that they could use as the landing page of their phishing attack. The pages they found on Telegram came equipped with anti-detection and code obfuscating techniques along with other optional techniques like MFA bypass. These pages ranged from around $10 for a simple page to $800 or more for those with advanced techniques.

After finding a page, they contacted the seller and negotiated the price down to $30. Next, they needed to find somewhere to host the page. They started simply and chose to use a free web shell sample of a randomly compromised WordPress site that they found in one of the public groups. For persistence, they replaced the web shell with their own password-protected file. They then went live with their page.

Propagation/messaging

After setting up their phishing site, they needed to send the associated phishing emails. Many of the methods of doing this are quite expensive. They opted to leverage a PHP mailer method as there were a range of free samples available to them. They were able to find samples that had not been previously used before and therefore were not previously blacklisted. They found that they could send about 25,000 emails per free sample.

Having three to four mailers, they could potentially send roughly 100,000 phishing emails. They then had to determine what the emails should say to bypass spam filters and get people to click the link.

Leads

With their phishing page and phishing email squared away, they needed to determine who to send the emails to. Lists of active email addresses are referred to as “leads.” These leads are occasionally available for free but will vary in price depending on how detailed the information is. They were able to acquire a list of 100,000 Bank of America customers for only $200 via Telegram.

Simulating revenues

Guardio Labs made several assumptions to come up with their depiction below. They assumed that out of 100,000 emails, they would obtain the credentials of 50 individuals.

These bank account details could then hypothetically be sold back into the cybercriminal ecosystem for a price. Making additional assumptions about how much they could sell these for, they believe a similar phishing scam could make over $2,000 with only $230 spent upfront.

Analyst comments from Tanium’s Cyber Threat Intelligence team

Guardio Labs very clearly spells out just how simple it is for cybercriminals of any sophistication level to carry out phishing campaigns. Their research further proves that even basic phishing kits can turn a profit for cybercriminals, making you wonder how much threat actors actually make off of some of the more sophisticated phishing kits out there.

What’s perhaps most interesting about the evolution of the phishing ecosystem is that everything needed for an attack is now publicly available, when it used to hide behind invite-only dark web forums.

3. BianLian targets multiple industries

Palo Alto is tracking a group known as BianLian, which has remained in the top 10 most active ransomware groups based on collected leak site data.

Their research uncovered a small, customized tool that is also used by the Makop ransomware group, indicating a possible connection between the two operations.

What is BianLian?

BianLian emerged in 2022 and claims new victims on their data leak site almost weekly.

The group tends to focus on healthcare, manufacturing, professional services, and legal services sectors in North America, the EU, and India. BianLian has recently moved away from double extortion to extortion without encryption.

The operation is believed to be actively expanding based on the group’s leak site that indicates they are hiring new developers and affiliates.

BianLian’s possible connection to Makop

Palo Alto discovered a small .NET custom executable during this analysis. This executable is found in common with both BianLian and Makop ransomware groups, both of which also used the same hash of the publicly available Advanced Port Scanner tool.

This custom executable will retrieve file enumeration, registry, and clipboard data and will contain some words in the Russian language. While the explanation for this overlap is not yet confirmed, it does indicate that the groups may have a shared tool set or use the services of the same developers.

Technical analysis

• Palo Alto mapped various attack stages to the MITRE ATT&CK framework. For initial access, the ransomware operators will typically use stolen RDP credentials, exploit the ProxyShell vulnerability, target VPN providers, or use other previously reported techniques like deploying web shells. For credential dumping, the group dumps the SAM registry hive to a temp file.
• Moving through the attack chain to persistence, BianLian drops their backdoor DLL component and executes it via a scheduled task that was created by Impacket. The scheduled task will periodically execute the backdoor DLL.
• The operation leverages the same Advanced Port Scanner file that the Makop ransomware operation leverages for reconnaissance. BianLian will then use two main components for the final payloads — an encryptor and a backdoor — before dropping its ransom note. The backdoor functions more like a loader than a traditional backdoor and is responsible for downloading and executing additional payloads.
• A decryptor was released for BianLian’s encryptor in early 2023. This forced the group to stop most of its encryption activity and is the primary reason for its pivot to extortion without encryption.

Analyst comments from Tanium’s Cyber Threat Intelligence team

BianLian is not nearly as talked about as ransomware operations like LockBit or BlackCat but is still a prominent threat.

The operation has remained consistent since their emergence and reacted quickly to a decryptor being released, changing the entire structure of their operation in response.

Aside from their adaptability, the potential overlap with another ransomware operation — though unconfirmed — is something to keep an eye on.

---

Do you have insight into these stories that you want to share? Head over to Tanium’s discussion forum to start a conversation.

For further reading, catch up on our recent cyber threat intelligence roundups.