DarkGate, a Malware-as-a-Service (MaaS) platform, has seen a significant uptick in activity since September 2023, utilizing various methods of distribution such as email attachments, malicious ads, and compromised Samba shares. What started as a manually operated command-and-control setup has now transformed into a sophisticated tool offering remote access, cryptocurrency mining, and other malicious functionalities.
The malware has been actively propagated across continents including North America, Europe, and Asia, with actors using AutoIt or AutoHotkey scripts for initial infections. In a notable campaign in March 2024, hackers employed Excel files disguised as legitimate documents to spread malicious payloads, with a primary focus on North America but later expanding to Europe and Asia.
The attack chain involves tricking users into opening Excel files containing links to publicly accessible Samba shares hosting VBS or JS scripts, which then download and run a PowerShell script that fetches and executes the final DarkGate payload based on AutoHotKey. The threat actors have utilized a variety of evasion techniques such as obfuscation, legitimate software usage, and anti-malware detection checks to impede analysis and enhance the persistence of the malware.
DarkGate includes mechanisms to evade analysis by checking the system’s CPU to differentiate between virtual environments and physical hosts, potentially halting execution in controlled analysis environments. It also scans for multiple anti-malware programs using specific directory paths and filenames in an attempt to bypass detection or disable them. The malware’s continuous evolution involves the addition of new anti-malware checks to adapt to evolving security measures.
An in-depth analysis of DarkGate samples has revealed variations in XOR keys utilized by the malware. Different sets of samples shared the same campaign ID but had different XOR keys, while another set shared both the campaign ID and the C2 server but had distinct XOR keys. This strategy of employing multiple XOR keys impedes reverse-engineering efforts and enhances the malware’s resilience. DarkGate employs a complex configuration decryption process involving XOR keys to mask its behavior, with analysts identifying certain patterns between values and campaign identifiers.
DarkGate’s C2 traffic resembles unencrypted Base64-encoded HTTP POST requests, containing obfuscated data that can be decoded with further layers of obfuscation. Unit 42 investigated an infection incident on March 14, 2024, where significant amounts of Base64-encoded data were sent to a particular domain, potentially leading to data leaks. While the primary function of DarkGate remains unclear, its association with subsequent malware strains like Danabot and reported ties to ransomware pose serious security threats.
The ongoing evolution and sophisticated techniques employed by DarkGate underscore the importance of robust cybersecurity measures to combat emerging threats in the digital landscape. Organizations and individuals are urged to remain vigilant, keep systems updated, and deploy effective security solutions to mitigate the risks posed by such advanced malware strains.