DarkGate: a dangerous Trojan hides in Excel files

[Carding Forum]

QakBot's successor now attacks users through Samba servers.

Specialists of Palo Alto Networks Unit 42 discovered the DarkGate campaign, which uses Samba file resources to distribute the Trojan. Activity was observed in March and April 2024, when DarkGate used public Samba servers hosting VBS and JavaScript files. The attacks targeted users in North America, Europe, and Asia.

The DarkGate malware, which first appeared in 2018, operates on the MaaS model for a limited number of clients. DarkGate has features for remote management of infected hosts, code execution, cryptocurrency mining, Reverse Shell launch, and delivery of additional payloads. In recent months, attacks using DarkGate have increased significantly after an international operation in which law enforcement agencies eliminated the QakBot infrastructure in August 2023.

DarkGate Infection Chain

The detected DarkGate campaign starts by sending Microsoft Excel (.xlsx) files via email, which, when opened, prompt the user to click the "Open" button. After clicking the button, the VBS code hosted on Samba is executed. The VBS code loads a PowerShell script from the C2 server, which eventually loads the DarkGate package based on AutoHotkey. Alternative scripts use JavaScript instead of VBS to load and execute a subsequent PowerShell script.

The Excel document prompts the victim to click the "Open" button to execute the script

One of DarkGate's antianalysis methods is to identify the target system's CPU. The Trojan checks whether it is running in a virtual environment or on a physical host. Checking allows you to stop working to avoid analysis in a controlled environment. Malware also examines running processes on the host to detect reverse engineering tools, debuggers, or virtualization programs.

In addition to checking CPU information, DarkGate also scans the system for a variety of other anti-malware programs. By detecting installed security software, DarkGate can avoid triggering detection mechanisms or even disable them to avoid further analysis.

Command and control (C2) traffic uses unencrypted HTTP requests, but the data is obfuscated and presented as Base64-encoded text. Experts stressed that DarkGate continues to evolve and improve methods of penetration and resistance to analysis, remaining a loud reminder of the need for reliable and proactive cybersecurity protection.

Source

 

[Carding Forum]

New DarkGate-a test for antivirus software
SonicWall specialists have discovered a new wave of phishing attacks spreading DarkGate malware. Attackers use PDF files disguised as invoices to infect victims ' computers.

The campaign is aimed at spreading the DarkGate RAT Trojan, which has been actively used since 2018 and is distributed using the MaaS (Malware-as-a-Service) model. The new version of DarkGate 6.6 has many dangerous features, such as bypassing virtual machines, antivirus programs, delaying execution and spoofing processes, which makes the version extremely difficult to detect and eliminate.

In the campaign under consideration, the malicious PDF file looks like an invoice dated June 26, 2024 and contains a download button that redirects the victim to a compromised site to download the malicious VBScript file.

VBScript is very confusing: the names of functions and variables are encrypted, and long comments make it difficult to read the code. The malware stores compressed data in comments at the end of VBScript and extracts it using regular expressions. The Trojan then runs the compiled AutoIt3 (AU3) script, which executes further commands to load DarkGate.

The malware starts its work by initializing version "6.6" and loading the necessary DLLs. Then DarkGate initializes the encryption keys for further work with the data. Keys are generated based on unique system identifiers (Product ID and processor name).

DarkGate also uses sophisticated methods to bypass antivirus software. Malware checks for the presence of more than 20 popular antivirus programs and changes its behavior depending on the detected security measures. If a specific antivirus program is detected on the system, DarkGate sets the appropriate flags and adapts to bypass the protection.

If the test environment is detected, for example, if there is a file "c:\temp\test.txt", malware automatically terminates its work, which can also be used to prevent infection.

In addition, DarkGate collects and sends a lot of data from the infected machine to the command server, such as the active window, system uptime, administrator status, and DarkGate version. Communication with the C2 server is performed via HTTP or HTTPS, depending on the settings.

To prevent detection and analysis, DarkGate uses various methods of encryption and obfuscation of the code, which makes it extremely difficult to analyze and eliminate. The malware supports executing more than 65 different commands, including launching additional malware, collecting data, and executing attacks on the victim's system.

One of the commands also extracts the ransom note and delivers the ransomware payload. The note is placed in the "C" directory.:\temp", then runs the binary file of the ransomware program.

Users should be extremely careful with the files they receive via email and always verify the authenticity of the sources to avoid infection. Cybersecurity specialists continue to work on detecting and neutralizing such threats.

• Source: https://blog.sonicwall.com/en-us/20...e-into-thwarting-the-latest-darkgate-variant/