Vulnerabilities in Microsoft software have become a loophole for a new version of the Trojan.
The DarkGate malware distributed under the MaaS (Malware-as-a-Service) model has changed the method of delivering final stages, moving from AutoIt scripts to the AutoHotkey mechanism. This shift underscores the desire of cybercriminals to constantly stay ahead of threat detection systems.
Observations showed that updates appeared in DarkGate version 6, released in March 2024 by a developer named RastaFarEye. The program is actively sold by subscription and is used by approximately 30 customers.
The DarkGate malware has been known since 2018 and is a full-featured remote access Trojan (RAT) equipped with C2 and rootkit capabilities. The program includes modules for credential theft, keylogging, screen capture, and remote desktop.
"DarkGate campaigns adapt quickly, modifying various components to avoid detection by security systems," noted security researcher Trellix in his analysis. "This is the first time we've discovered using AutoHotkey to run DarkGate."
The transition to AutoHotkey was first documented by McAfee Labs at the end of April 2024. Attacks exploit vulnerabilities such as CVE-2023-36025 and CVE-2024-21412 to bypass Microsoft Defender SmartScreen protection by using Microsoft Excel or HTML attachments in phishing emails.
Alternative methods use Excel files with embedded macros to execute a Visual Basic Script that calls PowerShell commands that eventually run the AutoHotkey script. This script loads and decodes the DarkGate payload from a text file.
The new version of DarkGate includes significant improvements to the configuration, evasion techniques, and available commands. It now supports audio recording, mouse and keyboard controls.
"Version 6 not only added new commands, but also removed some of the previous versions, such as privilege escalation, cryptomining, and hidden virtual network management (hVNC)," Trellix added, suggesting that this may be done to reduce features that can cause detection.
It is also worth noting that DarkGate is sold to a limited number of customers, which may have influenced RastaFarEye's decision to remove some features.
Thus, the recent change in the DarkGate functionality demonstrates the malware authors ' desire to innovate and increase the effectiveness of their attacks, emphasizing the need for constant monitoring and rapid response from the cybersecurity industry to protect against new sophisticated threats.
The DarkGate malware distributed under the MaaS (Malware-as-a-Service) model has changed the method of delivering final stages, moving from AutoIt scripts to the AutoHotkey mechanism. This shift underscores the desire of cybercriminals to constantly stay ahead of threat detection systems.
Observations showed that updates appeared in DarkGate version 6, released in March 2024 by a developer named RastaFarEye. The program is actively sold by subscription and is used by approximately 30 customers.
The DarkGate malware has been known since 2018 and is a full-featured remote access Trojan (RAT) equipped with C2 and rootkit capabilities. The program includes modules for credential theft, keylogging, screen capture, and remote desktop.
"DarkGate campaigns adapt quickly, modifying various components to avoid detection by security systems," noted security researcher Trellix in his analysis. "This is the first time we've discovered using AutoHotkey to run DarkGate."
The transition to AutoHotkey was first documented by McAfee Labs at the end of April 2024. Attacks exploit vulnerabilities such as CVE-2023-36025 and CVE-2024-21412 to bypass Microsoft Defender SmartScreen protection by using Microsoft Excel or HTML attachments in phishing emails.
Alternative methods use Excel files with embedded macros to execute a Visual Basic Script that calls PowerShell commands that eventually run the AutoHotkey script. This script loads and decodes the DarkGate payload from a text file.
The new version of DarkGate includes significant improvements to the configuration, evasion techniques, and available commands. It now supports audio recording, mouse and keyboard controls.
"Version 6 not only added new commands, but also removed some of the previous versions, such as privilege escalation, cryptomining, and hidden virtual network management (hVNC)," Trellix added, suggesting that this may be done to reduce features that can cause detection.
It is also worth noting that DarkGate is sold to a limited number of customers, which may have influenced RastaFarEye's decision to remove some features.
Thus, the recent change in the DarkGate functionality demonstrates the malware authors ' desire to innovate and increase the effectiveness of their attacks, emphasizing the need for constant monitoring and rapid response from the cybersecurity industry to protect against new sophisticated threats.
