• The Trend Micro Managed Detection and Response (MDR) team analyzed an incident wherein an attacker used social engineering via a Microsoft Teams call to impersonate a user’s client and gain remote access to their system.
• The attacker failed to install a Microsoft Remote Support application but successfully instructed the victim to download AnyDesk, a tool commonly used for remote access.
• After gaining access to the machine, the attacker dropped multiple suspicious files. One of the suspicious files was detected as Trojan.AutoIt.DARKGATE.D.
• A series of commands executed by Autoit3.exe led to the connection to a potential command-and-control server and the subsequent download of a malicious payload.
• Persistent files and a registry entry were created on the victim’s machine, though the attack was ultimately thwarted before exfiltration occurred.