Lucene search

K
thnThe Hacker NewsTHN:87C22E8B53C509361BB9373A14D7B461
HistoryAug 29, 2023 - 2:38 p.m.

DarkGate Malware Activity Spikes as Developer Rents Out Malware to Affiliates

2023-08-2914:38:00
The Hacker News
thehackernews.com
50
darkgate malware
malspam campaign
off-the-shelf malware
rented out
affiliates
high volume campaign
hijacked email threads
security researcher
phishing url
traffic direction system
msi payload
autoit script
multi-stage process
crypter
loader
visual basic script
underground forums
rastafareye
windows registry changes
data exfiltration
command-and-control server
cryptocurrency miners
threat detection
sspm
pentesters/redteamers
subscription offer
ultimate tool

DarkGate Malware

A new malspam campaign has been observed deploying an off-the-shelf malware called DarkGate.

“The current spike in DarkGate malware activity is plausible given the fact that the developer of the malware has recently started to rent out the malware to a limited number of affiliates,” Telekom Security said in a report published last week.

The latest report builds on recent findings from security researcher Igal Lytzki, who detailed a “high volume campaign” that leverages hijacked email threads to trick recipients into downloading the malware.

Cybersecurity

The attack commences with a phishing URL that, when clicked, passes through a traffic direction system (TDS) to take the victim to an MSI payload subject to certain conditions. This includes the presence of a refresh header in the HTTP response.

Opening the MSI file triggers a multi-stage process that incorporates an AutoIt script to execute shellcode that acts as a conduit to decrypt and launch DarkGate via a crypter (or loader).

Specifically, the loader is designed to parse the AutoIt script and extract the encrypted malware sample.

DarkGate Malware

An alternate variation of the attacks have been observed using a Visual Basic Script in place of an MSI file, which, in turn, uses cURL to retrieve the AutoIt executable and script file. The exact method by which the VB Script is delivered is currently unknown.

DarkGate, sold mainly on underground forums by an actor named RastaFarEye, comes with capabilities to evade detection by security software, set up persistence using Windows Registry changes, escalate privileges, and steal data from web browsers and other software such as Discord and FileZilla.

It also establishes contact with a command-and-control (C2) server for enumerating files, data exfiltration, launching cryptocurrency miners, and remotely capturing screenshots as well as running other commands.

UPCOMING WEBINAR

[Detect, Respond, Protect: ITDR and SSPM for Complete SaaS Security

](<https://thehacker.news/identity-attack-surface?source=inside&gt;)

Discover how Identity Threat Detection & Response (ITDR) identifies and mitigates threats with the help of SSPM. Learn how to secure your corporate SaaS applications and protect your data, even after a breach.

Supercharge Your Skills

The malware is offered as a subscription that starts from $1,000 per day to $15,000 per month to $100,000 a year, with the author advertising it as the “ultimate tool for pentesters/redteamers” and that it has “features that you won’t find anywhere.” Interestingly, earlier versions of DarkGate also came fitted with a ransomware module.

Phishing attacks are a primary delivery pathway for stealers, trojans, and malware loaders such as KrakenKeylogger, QakBot, Raccoon Stealer, SmokeLoader, and others, with threat actors continuously adding new features and enhancements to expand their functionalities.

According to a recent report published by HP Wolf Security, email remained the top vector for delivering malware to endpoints, accounting for 79% of threats identified in Q2 2023.

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.