Pierluigi Paganini July 15, 2024

A Dark Gate malware campaign from March-April 2024 demonstrates how attackers exploit legitimate tools and services to distribute malware.

Palo Alto Networks Unit 42 researchers shared details about a DarkGate malware campaign from March-April 2024. Threat actors used Microsoft Excel files to download a malicious software package from public-facing SMB file shares.

The researchers pointed out that threat actors creatively abused legitimate tools and services to distribute their malware.

DarkGate RAT is written in Borland Delphi and is available in the cybercrime ecosystem as a malware-as-a-service (MaaS) model. The malware is considered a sophisticated threat and is continuously improved.

DarkGate has been active since at least 2018, it supports various features, including process injection, the download and execution file, information stealing, shell command execution, and keylogging abilities. The malicious payload also employs multiple evasion techniques.

Financially motivated threat actors employed the malware in attacks against organizations across North America, Europe, Asia, and Africa.

Unit 42 has observed a surge of DarkGate activity after the disruption of Qakbot infrastructure in August 2023.

In March 2024, DarkGate actors launched a campaign using Microsoft Excel files, initially targeting North America but gradually spreading to Europe and Asia. The activity peaked on April 9, 2024, with nearly 2,000 samples detected in one day.

Upon opening the .xlsx file, recipients are shown a template containing a linked object for the Open button.

When a user clicks the hyperlinked object for the Open button, it retrieves and runs content from a URL that points to a Samba/SMB share that is publicly accessible and hosts a VBS file.

The researchers have also seen attackers distributing JavaScript files from Samba shares

The EXCEL_OPEN_DOCUMENT.vbs file contains a large amount of junk code related to printer drivers, however it retrieves and runs a PowerShell script that downloads an AutoHotKey-based DarkGate package.

“Deobfuscated from test.txt and run from system memory, this final DarkGate binary is known for its complex mechanisms to avoid detection and malware analysis.” reads the report. “One of the anti-analysis techniques employed by DarkGate is identifying the CPU of the targeted system. This can reveal if the threat is running in a virtual environment or on a physical host, enabling DarkGate to cease operations to avoid being analyzed in a controlled environment.“

DarkGate also analyzes the processes running on the infected systems to check for the presence of analysis tools, or virtualization software.

DarkGate uses unencrypted HTTP requests to communicate with the C2 servers and data is obfuscated toresemble Base64-encoded text.

“Campaigns using this malware exhibit advanced infection techniques, leveraging both phishing strategies and approaches like exploiting publicly accessible Samba shares.” concludes the report that also includes Indicators of Compromise. “As DarkGate continues to evolve and refine its methods of infiltration and resistance to analysis, it remains a potent reminder of the need for robust and proactive cybersecurity defenses.“

Pierluigi Paganini

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

(SecurityAffairs – hacking, malware)