Saturday, March 2, 2024

DarkGate Malware-as-a-Service Evolved as Complete Toolkit

DarkGate is a complete toolkit, first discovered in 2018, that provides attackers with extensive capabilities to access target systems completely.

On underground cybercrime forums, an actor known as RastaFarEye develops and sells the software as Malware-as-a-Service (MaaS).

The malware is offered through a subscription-based approach that costs up to $15,000 per month, justified by the fact that the malware has been developed continuously since 2017.

The features of DarkGate include information-stealing capabilities, privilege escalation, keylogging, a Hidden Virtual Network Computing (HVNC) module, and the ability to download and execute files to memory.

Document
Free Webinar

Live API Attack Simulation Webinar

In the upcoming webinar, Karthik Krishnamoorthy, CTO and Vivek Gopalan, VP of Products at Indusface demonstrate how APIs could be hacked. The session will cover: an exploit of OWASP API Top 10 vulnerability, a brute force account take-over (ATO) attack on API, a DDoS attack on an API, how a WAAP could bolster security over an API gateway

All of these traits attracted the interest of cybercriminals, who began to acquire the tool and compromise the systems of businesses and people all over the world.

Figure 6: Overview of the DarkGate v4 multistage infection chain. The initial vector is either a remote VBS script or local MSI file. The VBS method retrieves an AutoIT binary and second stage payload remotely. Meanwhile, the MSI file directly drops the embedded payload. Both vectors ultimately execute an AutoIT script to launch the next loader stage, culminating in DarkGate v4 installation.
Overview of the DarkGate v4 multistage infection chain

An Attack Utilizing an Emerging Malware Family – DarkGate

An attack utilizing an emerging malware family called DarkGate was successfully discovered and stopped by the Trellix Security Operations Center (SOC) on September 20, 2023, against Musaruba, the holding company for Trellix and Skyhigh Security.

The attacker sent a Teams message with a link to a group of employees while posing as a senior executive of Musaruba. The link opened a ZIP file hosted within SharePoint, but only the employees who got the mail could view it, presumably to keep researchers from analyzing it. 

 “This ZIP compressed file contained five Windows shortcut or LNK files trying to masquerade a PDF file using the double extension method, “.pdf.lnk”. Also, these files used a deceptive PDF icon to lure unsuspecting users into executing the file”, Trellix said in a report shared with Cyber Security News.

These files included a Windows Batch script that uses the Windows Script Host’s “CScript.exe” program to run the VBS script once it has been retrieved from a remote server using the Windows’s “curl” utility.

The Continued Evolution of the DarkGate Malware-as-a-Service

DarkGate version 4 was launched in June, which included sophisticated evasion tactics, command and control capabilities, and a variety of modules for credential theft, keylogging, screen recording, and other functions.

Figure 6: Overview of the DarkGate v4 multistage infection chain. The initial vector is either a remote VBS script or local MSI file. The VBS method retrieves an AutoIT binary and second stage payload remotely. Meanwhile, the MSI file directly drops the embedded payload. Both vectors ultimately execute an AutoIT script to launch the next loader stage, culminating in DarkGate v4 installation.
Overview of the DarkGate v4 multistage infection chain

A new execution chain utilizing DLL side-loading and improved shellcodes and loaders is introduced in DarkGate version 5. It does, however, still include some version 4 functionality, such as AutoIT scripts and the first phases of VBS/MSI.

Figure 14 Overview of the DarkGate v5 multistage installation chain. The VBS method retrieves an AutoIT binary and second stage payload remotely. Meanwhile, the MSI executable drops a legit application and the DLL that will be side-loaded, which will execute a shellcode to download and execute the second stage payload.
Overview of the DarkGate v5 multistage installation chain

It was previously reported that only 10 people were able to get the tool due to its limited release. Now that this number has increased to 30, DarkGate is considered a limited MaaS in comparison to previous versions.

Despite its limited client base, it is imperative to emphasize the seriousness of the cyber threat.

Experience how StorageGuard eliminates the security blind spots in your storage systems by trying a 14-day free trial.

Website

Latest articles

AI Worm Developed by Researchers Spreads Automatically Between AI Agents

Researchers have developed what they claim to be one of the first generative AI...

20 Million+ Cutout.Pro User Records Leaked On Hacking Forums

CutOut.Pro, an AI-powered photo and video editing platform, has reportedly suffered a data breach,...

CWE Version 4.14 Released: What’s New!

The Common Weakness Enumeration (CWE) project, a cornerstone in the cybersecurity landscape, has unveiled...

RisePro Stealer Attacks Windows Users Steals Sensitive Data

A new wave of cyber threats has emerged as the RisePro information stealer targets...

Golden Corral Restaurant Chain Hacked: 180,000+ Users’ Data Stolen

The Golden Corral Corporation, a popular American restaurant chain, has suffered a significant data...

CISA Warns Of Hackers Exploiting Multiple Flaws In Ivanti VPN

Threat actors target and abuse VPN flaws because VPNs are often used to secure...

BEAST AI Jailbreak Language Models Within 1 Minute With High Accuracy

Malicious hackers sometimes jailbreak language models (LMs) to exploit bugs in the systems so...
Guru baran
Guru baranhttps://gbhackers.com
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Live Account Takeover Attack Simulation

Live Account Take Over Attack

Live Webinar on How do hackers bypass 2FA ,Detecting ATO attacks, A demo of credential stuffing, brute force and session jacking-based ATO attacks, Identifying attacks with behaviour-based analysis and Building custom protection for applications and APIs.

Related Articles