Monday, December 9, 2024
HomeCyber Security NewsDarkGate Malware-as-a-Service Evolved as Complete Toolkit

DarkGate Malware-as-a-Service Evolved as Complete Toolkit

Published on

SIEM as a Service

DarkGate is a complete toolkit, first discovered in 2018, that provides attackers with extensive capabilities to access target systems completely.

On underground cybercrime forums, an actor known as RastaFarEye develops and sells the software as Malware-as-a-Service (MaaS).

The malware is offered through a subscription-based approach that costs up to $15,000 per month, justified by the fact that the malware has been developed continuously since 2017.

- Advertisement - SIEM as a Service

The features of DarkGate include information-stealing capabilities, privilege escalation, keylogging, a Hidden Virtual Network Computing (HVNC) module, and the ability to download and execute files to memory.

Document
Free Webinar

Live API Attack Simulation Webinar

In the upcoming webinar, Karthik Krishnamoorthy, CTO and Vivek Gopalan, VP of Products at Indusface demonstrate how APIs could be hacked. The session will cover: an exploit of OWASP API Top 10 vulnerability, a brute force account take-over (ATO) attack on API, a DDoS attack on an API, how a WAAP could bolster security over an API gateway

All of these traits attracted the interest of cybercriminals, who began to acquire the tool and compromise the systems of businesses and people all over the world.

Figure 6: Overview of the DarkGate v4 multistage infection chain. The initial vector is either a remote VBS script or local MSI file. The VBS method retrieves an AutoIT binary and second stage payload remotely. Meanwhile, the MSI file directly drops the embedded payload. Both vectors ultimately execute an AutoIT script to launch the next loader stage, culminating in DarkGate v4 installation.
Overview of the DarkGate v4 multistage infection chain

An Attack Utilizing an Emerging Malware Family – DarkGate

An attack utilizing an emerging malware family called DarkGate was successfully discovered and stopped by the Trellix Security Operations Center (SOC) on September 20, 2023, against Musaruba, the holding company for Trellix and Skyhigh Security.

The attacker sent a Teams message with a link to a group of employees while posing as a senior executive of Musaruba. The link opened a ZIP file hosted within SharePoint, but only the employees who got the mail could view it, presumably to keep researchers from analyzing it. 

 “This ZIP compressed file contained five Windows shortcut or LNK files trying to masquerade a PDF file using the double extension method, “.pdf.lnk”. Also, these files used a deceptive PDF icon to lure unsuspecting users into executing the file”, Trellix said in a report shared with Cyber Security News.

These files included a Windows Batch script that uses the Windows Script Host’s “CScript.exe” program to run the VBS script once it has been retrieved from a remote server using the Windows’s “curl” utility.

The Continued Evolution of the DarkGate Malware-as-a-Service

DarkGate version 4 was launched in June, which included sophisticated evasion tactics, command and control capabilities, and a variety of modules for credential theft, keylogging, screen recording, and other functions.

Figure 6: Overview of the DarkGate v4 multistage infection chain. The initial vector is either a remote VBS script or local MSI file. The VBS method retrieves an AutoIT binary and second stage payload remotely. Meanwhile, the MSI file directly drops the embedded payload. Both vectors ultimately execute an AutoIT script to launch the next loader stage, culminating in DarkGate v4 installation.
Overview of the DarkGate v4 multistage infection chain

A new execution chain utilizing DLL side-loading and improved shellcodes and loaders is introduced in DarkGate version 5. It does, however, still include some version 4 functionality, such as AutoIT scripts and the first phases of VBS/MSI.

Figure 14 Overview of the DarkGate v5 multistage installation chain. The VBS method retrieves an AutoIT binary and second stage payload remotely. Meanwhile, the MSI executable drops a legit application and the DLL that will be side-loaded, which will execute a shellcode to download and execute the second stage payload.
Overview of the DarkGate v5 multistage installation chain

It was previously reported that only 10 people were able to get the tool due to its limited release. Now that this number has increased to 30, DarkGate is considered a limited MaaS in comparison to previous versions.

Despite its limited client base, it is imperative to emphasize the seriousness of the cyber threat.

Experience how StorageGuard eliminates the security blind spots in your storage systems by trying a 14-day free trial.

Gurubaran
Gurubaran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Latest articles

DaMAgeCard Attack – New SD Card Attack Lets Hackers Directly Access System Memory

Security researchers have identified a significant vulnerability dubbed "DaMAgeCard Attack" in the new SD...

Deloitte Denies Breach, Claims Only Single System Affected

Ransomware group Brain Cipher claimed to have breached Deloitte UK and threatened to publish...

Top Five Industries Most Frequently Targeted by Phishing Attacks

Researchers analyzed phishing attacks from Q3 2023 to Q3 2024 and identified the top...

Russian BlueAlpha APT Exploits Cloudflare Tunnels to Distribute Custom Malware

BlueAlpha, a Russian state-sponsored group, is actively targeting Ukrainian individuals and organizations by using...

API Security Webinar

72 Hours to Audit-Ready API Security

APIs present a unique challenge in this landscape, as risk assessment and mitigation are often hindered by incomplete API inventories and insufficient documentation.

Join Vivek Gopalan, VP of Products at Indusface, in this insightful webinar as he unveils a practical framework for discovering, assessing, and addressing open API vulnerabilities within just 72 hours.

Discussion points

API Discovery: Techniques to identify and map your public APIs comprehensively.
Vulnerability Scanning: Best practices for API vulnerability analysis and penetration testing.
Clean Reporting: Steps to generate a clean, audit-ready vulnerability report within 72 hours.

More like this

DaMAgeCard Attack – New SD Card Attack Lets Hackers Directly Access System Memory

Security researchers have identified a significant vulnerability dubbed "DaMAgeCard Attack" in the new SD...

Deloitte Denies Breach, Claims Only Single System Affected

Ransomware group Brain Cipher claimed to have breached Deloitte UK and threatened to publish...

Top Five Industries Most Frequently Targeted by Phishing Attacks

Researchers analyzed phishing attacks from Q3 2023 to Q3 2024 and identified the top...