Thursday, June 20, 2024

DarkGate Malware-as-a-Service Evolved as Complete Toolkit

DarkGate is a complete toolkit, first discovered in 2018, that provides attackers with extensive capabilities to access target systems completely.

On underground cybercrime forums, an actor known as RastaFarEye develops and sells the software as Malware-as-a-Service (MaaS).

The malware is offered through a subscription-based approach that costs up to $15,000 per month, justified by the fact that the malware has been developed continuously since 2017.

The features of DarkGate include information-stealing capabilities, privilege escalation, keylogging, a Hidden Virtual Network Computing (HVNC) module, and the ability to download and execute files to memory.

Document
Free Webinar

Live API Attack Simulation Webinar

In the upcoming webinar, Karthik Krishnamoorthy, CTO and Vivek Gopalan, VP of Products at Indusface demonstrate how APIs could be hacked. The session will cover: an exploit of OWASP API Top 10 vulnerability, a brute force account take-over (ATO) attack on API, a DDoS attack on an API, how a WAAP could bolster security over an API gateway

All of these traits attracted the interest of cybercriminals, who began to acquire the tool and compromise the systems of businesses and people all over the world.

Figure 6: Overview of the DarkGate v4 multistage infection chain. The initial vector is either a remote VBS script or local MSI file. The VBS method retrieves an AutoIT binary and second stage payload remotely. Meanwhile, the MSI file directly drops the embedded payload. Both vectors ultimately execute an AutoIT script to launch the next loader stage, culminating in DarkGate v4 installation.
Overview of the DarkGate v4 multistage infection chain

An Attack Utilizing an Emerging Malware Family – DarkGate

An attack utilizing an emerging malware family called DarkGate was successfully discovered and stopped by the Trellix Security Operations Center (SOC) on September 20, 2023, against Musaruba, the holding company for Trellix and Skyhigh Security.

The attacker sent a Teams message with a link to a group of employees while posing as a senior executive of Musaruba. The link opened a ZIP file hosted within SharePoint, but only the employees who got the mail could view it, presumably to keep researchers from analyzing it. 

 “This ZIP compressed file contained five Windows shortcut or LNK files trying to masquerade a PDF file using the double extension method, “.pdf.lnk”. Also, these files used a deceptive PDF icon to lure unsuspecting users into executing the file”, Trellix said in a report shared with Cyber Security News.

These files included a Windows Batch script that uses the Windows Script Host’s “CScript.exe” program to run the VBS script once it has been retrieved from a remote server using the Windows’s “curl” utility.

The Continued Evolution of the DarkGate Malware-as-a-Service

DarkGate version 4 was launched in June, which included sophisticated evasion tactics, command and control capabilities, and a variety of modules for credential theft, keylogging, screen recording, and other functions.

Figure 6: Overview of the DarkGate v4 multistage infection chain. The initial vector is either a remote VBS script or local MSI file. The VBS method retrieves an AutoIT binary and second stage payload remotely. Meanwhile, the MSI file directly drops the embedded payload. Both vectors ultimately execute an AutoIT script to launch the next loader stage, culminating in DarkGate v4 installation.
Overview of the DarkGate v4 multistage infection chain

A new execution chain utilizing DLL side-loading and improved shellcodes and loaders is introduced in DarkGate version 5. It does, however, still include some version 4 functionality, such as AutoIT scripts and the first phases of VBS/MSI.

Figure 14 Overview of the DarkGate v5 multistage installation chain. The VBS method retrieves an AutoIT binary and second stage payload remotely. Meanwhile, the MSI executable drops a legit application and the DLL that will be side-loaded, which will execute a shellcode to download and execute the second stage payload.
Overview of the DarkGate v5 multistage installation chain

It was previously reported that only 10 people were able to get the tool due to its limited release. Now that this number has increased to 30, DarkGate is considered a limited MaaS in comparison to previous versions.

Despite its limited client base, it is imperative to emphasize the seriousness of the cyber threat.

Experience how StorageGuard eliminates the security blind spots in your storage systems by trying a 14-day free trial.

Website

Latest articles

1inch partners with Blockaid to enhance Web3 security through the 1inch Shield

1inch, a leading DeFi aggregator that provides advanced security solutions to users across the...

Hackers Exploit Progressive Web Apps to Steal Passwords

In a concerning development for cybersecurity, hackers are increasingly leveraging Progressive Web Apps (PWAs)...

INE Security: Optimizing Teams for AI and Cybersecurity

2024 is rapidly shaping up to be a defining year in generative AI. While...

Threat Actor Claims Breach of Jollibee Fast-Food Gaint

A threat actor has claimed responsibility for breaching the systems of Jollibee Foods Corporation,...

Threat Actors Claiming Breach of Accenture Employee Data

Threat actors have claimed responsibility for a significant data breach involving Accenture, one of...

Diamorphine Rootkit Exploiting Linux Systems In The Wild

Threat actors exploit Linux systems because they are prevalent in organizations that host servers,...

Amtrak Data Breach: Hackers Accessed User’s Email Address

Amtrak notified its customers regarding a significant security breach involving its Amtrak Guest Rewards...
Guru baran
Guru baranhttps://gbhackers.com
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Free Webinar

API Vulnerability Scanning

71% of the internet traffic comes from APIs so APIs have become soft targets for hackers.Securing APIs is a simple workflow provided you find API specific vulnerabilities and protect them.In the upcoming webinar, join Vivek Gopalan, VP of Products at Indusface as he takes you through the fundamentals of API vulnerability scanning..
Key takeaways include:

  • Scan API endpoints for OWASP API Top 10 vulnerabilities
  • Perform API penetration testing for business logic vulnerabilities
  • Prioritize the most critical vulnerabilities with AcuRisQ
  • Workflow automation for this entire process

Related Articles