DarkGate Malware-as-a-Service Evolved as Complete Toolkit

DarkGate is a complete toolkit, first discovered in 2018, that provides attackers with extensive capabilities to access target systems completely.

On underground cybercrime forums, an actor known as RastaFarEye develops and sells the software as Malware-as-a-Service (MaaS).

The malware is offered through a subscription-based approach that costs up to $15,000 per month, justified by the fact that the malware has been developed continuously since 2017.

The features of DarkGate include information-stealing capabilities, privilege escalation, keylogging, a Hidden Virtual Network Computing (HVNC) module, and the ability to download and execute files to memory.

Free Webinar

Live API Attack Simulation Webinar

In the upcoming webinar, Karthik Krishnamoorthy, CTO and Vivek Gopalan, VP of Products at Indusface demonstrate how APIs could be hacked. The session will cover: an exploit of OWASP API Top 10 vulnerability, a brute force account take-over (ATO) attack on API, a DDoS attack on an API, how a WAAP could bolster security over an API gateway

Register for Free

All of these traits attracted the interest of cybercriminals, who began to acquire the tool and compromise the systems of businesses and people all over the world.

An Attack Utilizing an Emerging Malware Family – DarkGate

An attack utilizing an emerging malware family called DarkGate was successfully discovered and stopped by the Trellix Security Operations Center (SOC) on September 20, 2023, against Musaruba, the holding company for Trellix and Skyhigh Security.

The attacker sent a Teams message with a link to a group of employees while posing as a senior executive of Musaruba. The link opened a ZIP file hosted within SharePoint, but only the employees who got the mail could view it, presumably to keep researchers from analyzing it. 

 “This ZIP compressed file contained five Windows shortcut or LNK files trying to masquerade a PDF file using the double extension method, “.pdf.lnk”. Also, these files used a deceptive PDF icon to lure unsuspecting users into executing the file”, Trellix said in a report shared with Cyber Security News.

These files included a Windows Batch script that uses the Windows Script Host’s “CScript.exe” program to run the VBS script once it has been retrieved from a remote server using the Windows’s “curl” utility.

The Continued Evolution of the DarkGate Malware-as-a-Service

DarkGate version 4 was launched in June, which included sophisticated evasion tactics, command and control capabilities, and a variety of modules for credential theft, keylogging, screen recording, and other functions.

A new execution chain utilizing DLL side-loading and improved shellcodes and loaders is introduced in DarkGate version 5. It does, however, still include some version 4 functionality, such as AutoIT scripts and the first phases of VBS/MSI.

It was previously reported that only 10 people were able to get the tool due to its limited release. Now that this number has increased to 30, DarkGate is considered a limited MaaS in comparison to previous versions.

Despite its limited client base, it is imperative to emphasize the seriousness of the cyber threat.

Experience how StorageGuard eliminates the security blind spots in your storage systems by trying a 14-day free trial.