Monday, July 15, 2024

DarkGate Malware Abuses AutoIT Scripting For Payload Obfustication

DarkGate is a type of malware that employs Auto-It compiled loaders that cause a considerable threat because of its advanced evasion strategies and persistence within compromised systems.

By using obfuscated AutoIt scripting and multi-stage payloads, the malware makes it more difficult to identify using conventional signature-based techniques.

Meticulous detection and analysis are necessary due to their capacity to obtain command and control communications and exfiltrate sensitive data.

The scripting language AutoIt was created specifically for automating Windows GUI and general scripting tasks. It has been used for malicious purposes throughout history, including AutoIt-compiled malware dating back to 2008.

“Malware creators have exploited the versatility of AutoIT in a variety of ways, such as using obfuscated scripts for payload decryption, utilizing legitimate tools like BaSupportVNC, and even creating worms capable of spreading through removable media and Windows shares”, said Splunk researchers.

Free Webinar

Fastrack Compliance: The Path to ZERO-Vulnerability

Compounding the problem are zero-day vulnerabilities like the MOVEit SQLi, Zimbra XSS, and 300+ such vulnerabilities that get discovered each month. Delays in fixing these vulnerabilities lead to compliance issues, these delay can be minimized with a unique feature on AppTrana that helps you to get “Zero vulnerability report” within 72 hours.

Insights of DarkGate Malware and Its Use of AutoIt

Researchers discovered several campaigns using a loader intended for launching DarkGate on hacked systems. An instance of this would be the discovery of malicious PDF files that serve as carriers and cause a malicious CAB file to be downloaded. 

This CAB file, in turn, downloads a.MSI file containing and loading the DarkGate malware. This file appears to load a series of files, including two.BIN files, a DLL module, and the legitimate wndbg.exe, all of which are necessary for DarkGate to execute.

Malicious MSI Infection Flow 
Malicious MSI Infection Flow 

In a different variation, it adds another .CAB installer to the targeted host’s installation process, expanding its infection strategy. This enhanced strategy highlights threat actors’ ongoing attempts to avoid detection by highlighting the intricacy and sophistication of the infection mechanism they have chosen.

Four.png files are utilized solely as dummies or decoys to hide or mislead the observer from the important parts of the DarkGate operation.

.CAB Extracted Files
.CAB Extracted Files

“Within the .CAB file, a collection of files has been identified. Among these files, the pivotal components driving the initiation of DarkGate malware include windbg.exe, dbgeng.dll, data.bin, and data2.bin”, researchers said.

The subsequent stage of this malicious installation of the .CAB file entails the use of windbg.exe to execute a specifically designed dbgeng.dll via DLL side-loading techniques.

Data2.bin contains two encoded files, separated by the ‘splitres’ string. The first file to be decoded from the base64 process is a legitimate Autoit3.exe, which is used to run the second file, which is a script.au3 AutoIt script that has been constructed. 

The final loader encompasses both a shellcode and a .exe file designed to decrypt the DarkGate malware.

Hence, maintaining a strong defense against DarkGate’s shifting techniques requires constant monitoring in addition to updated defense systems.

Try Kelltron’s cost-effective penetration testing services to evaluate digital systems security. available.


Latest articles

Critical Cellopoint Secure Email Gateway Flaw Let Attackers Execute Arbitrary Code

A critical vulnerability has been discovered in the Cellopoint Secure Email Gateway, identified as...

Singapore Banks to Phase out OTPs for Bank Account Logins Within 3 Months

The Monetary Authority of Singapore (MAS) and The Association of Banks in Singapore (ABS)...

GuardZoo Android Malware Attacking military personnel via WhatsApp To Steal Sensitive Data

A Houthi-aligned group has been deploying Android surveillanceware called GuardZoo since October 2019 to...

ViperSoftX Weaponizing AutoIt & CLR For Stealthy PowerShell Execution

ViperSoftX is an advanced malware that has become more complicated since its recognition in...

Malicious NuGet Campaign Tricking Developers To Inject Malicious Code

Hackers often target NuGet as it's a popular package manager for .NET, which developers...

Akira Ransomware Attacking Airline Industry With Legitimate Tools

Airlines often become the target of hackers as they contain sensitive personal and financial...

DarkGate Malware Exploiting Excel Files And SMB File Shares

DarkGate, a Malware-as-a-Service (MaaS) platform, experienced a surge in activity since September 2023, employing...
Guru baran
Guru baran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Free Webinar

Low Rate DDoS Attack

9 of 10 sites on the AppTrana network have faced a DDoS attack in the last 30 days.
Some DDoS attacks could readily be blocked by rate-limiting, IP reputation checks and other basic mitigation methods.
More than 50% of the DDoS attacks are employing botnets to send slow DDoS attacks where millions of IPs are being employed to send one or two requests per minute..
Key takeaways include:

  • The mechanics of a low-DDoS attack
  • Fundamentals of behavioural AI and rate-limiting
  • Surgical mitigation actions to minimize false positives
  • Role of managed services in DDoS monitoring

Related Articles