After the FBI successfully shut down the Qakbot infrastructure in August 2023, a stark increase in the use of the DarkGate loader has been observed by security analysts at EclecticIQ. The research suggests that DarkGate is mainly being utilized by financially motivated groups like TA577, Ducktail, and RaaS operators such as BianLian and Black Basta. These groups are predominantly targeting European and American financial institutions, employing double extortion ransomware attacks to maximize their profits.
The modus operandi of these cybercriminals involves exploiting legitimate services like Google’s DoubleClick advertising network and cloud storage to deceive victims into downloading the DarkGate malware. This approach allows the attackers to surreptitiously gain access to the victims’ devices and pilfer their sensitive data remotely.
A significant development in the proliferation of DarkGate is attributed to a cybercriminal known as RastaFarEye. On June 16, 2023, RastaFarEye advertised the DarkGate Malware-as-a-Service (MaaS) on various online forums. This service equips hackers with the tools required to take control of victims’ devices and pilfer their data from a remote location. This dissemination of DarkGate on various forums signifies the expanding reach and influence of cybercriminal networks.
Security researchers at EclecticIQ have come to the conclusion that the primary targets of the DarkGate malware are financial institutions. For instance, an attempted phishing attack was made against Bank Deutsches Kraftfahrzeuggewerbe (BDK), the second-largest independent bank in Germany’s automotive sector. The attackers employed a malicious PDF attachment, tailored to the automotive industry, in an attempt to trick the bank’s employees. The phishing site redirected victims to a website designed to download DarkGate, which was concealed within a ZIP compressed file, a typical tactic used to evade security measures.
In light of these developments, security experts are recommending various measures to protect against DarkGate and similar cyber threats. They suggest monitoring for suspicious activity involving wscript.exe or cscript.exe running .vbs files from temporary folders. Additionally, tools like the SIGMA rule “Suspicious Script Execution from Temp Folder” or Elasticsearch KQL query can be employed to identify such activities. It is also advised to monitor network traffic for unusual patterns, including suspicious domain redirects and downloads of .CAB files.
In conclusion, the rise in the usage of DarkGate and its exploitation by financially motivated cybercriminal groups is a cause for concern. Financial institutions and individuals alike must remain vigilant and implement robust security measures to safeguard against the threat posed by DarkGate and similar malware. Staying updated on cybersecurity news and following best practices in cybersecurity defense are vital for mitigating the risks associated with such advanced cyber threats.