In the ever-evolving world of cyber threats, the DarkGate malware has emerged as a significant player. With its sophisticated techniques and stealthy operations, it poses a considerable challenge to cybersecurity professionals. This article delves deep into the technical aspects of the DarkGate loader, its capabilities, and the potential implications for the cybersecurity landscape.
Origins and Initial Discovery
Telekom Security CTI recently highlighted a new malware campaign distributed via phishing emails. These emails cleverly used stolen email threads to lure unsuspecting users into clicking hyperlinks, leading to the malware’s download. Interestingly, there was a false attribution of one of the malware samples to Emotet, which turned out to be a false positive. However, this drew the attention of the security research community to this new campaign.
Upon initial analysis, the malware showed significant similarities to the DarkGate malware, particularly in its initial infection routine and C2 communication protocol. The malware’s functionality includes built-in evasion techniques and a configuration that aligns with other publications about DarkGate. The malware’s developer, who seems to be its sole creator, has been advertising DarkGate on various cybercrime forums. The recent spike in its activity suggests that the malware is now available for rent to a limited number of affiliates, indicating a potential increase in its threat in the coming months.
The infection chain observed by Telekom Security involved delivering the initial payload via an MSI installer file. Victims would receive this file by clicking on a link contained in a phishing message. This link would redirect the victim to the final payload URL for the MSI download, triggering the DarkGate infection. Another observed campaign delivered the initial payload as a Visual Basic script. This script, obfuscated with decoy code, would invoke the curl binary pre-installed in Windows to download the AutoIt executable and script file from an attacker-controlled server.
The MSI variant of the campaign had the initial payload self-contained, embedding all further payloads into the file. The VBS variant, on the other hand, contained garbage functions with the real infection code hidden in several strings. These strings were obfuscated, and after removing this layer, the script logic was easily decipherable.
AutoIt Script and Shellcode Analysis
The AutoIt script bundled with the malware was pre-compiled, and its decompiled version revealed its purpose: to execute a shellcode contained as a hex-encoded string. This shellcode embeds a PE file, aiming to load and execute this file.
DarkGate’s capabilities are vast and varied:
- Persistence: The malware can write a copy of itself to disk and create a registry run key for persistence.
- Privilege Escalation: It can elevate to SYSTEM privileges for tasks like deleting system restore points.
- Defense Evasion: The malware checks for multiple well-known AV products and may alter its behavior based on the results.
- Credential Access: DarkGate can steal passwords, cookies, and other confidential data from various programs.
- Discovery: It can query different data sources to obtain information about the operating system, user, running programs, etc.
- Collection: The malware can collect arbitrary files from the victim system upon request through the C2 channel.
The DarkGate malware, with its sophisticated techniques and stealthy operations, is a looming threat in the cybersecurity landscape. As cyber incident responders, it’s crucial to understand its mechanisms, stay updated on its developments, and implement robust defense strategies to mitigate its impact.