Wednesday, April 17, 2024

DarkGate Loader Delivered Through Stolen Email Threads to Lure Victims

The research revealed high malspam activity of DarkGate malware distributed via phishing emails to the users either through MSI files or VBs script payloads.

Darkgate malware has been active since 2018 and has the ability to download and execute files to memory, a Hidden Virtual Network Computing (HVNC) module, keylogging, information-stealing capabilities, and privilege escalation.

A user RastaFarEye has been advertising DarkGate Loader on the xss[.]is an exploit[.]in cybercrime forums since June 16, 2023, with different pricing models.

“The current spike in DarkGate malware activity is plausible given the fact that the developer of the malware has recently started to rent out the malware to a limited number of affiliates,” Telekom Security said.

Attack Execution

Initially, phishing emails distributed the payload with either the MSI variant or the VBScript variant.

The attack commences from clicking on the phishing URL which redirects the user to the phishing site via a Traffic distribution system(TDS).

Subsequently, the MSI file will be downloaded, which executes the AutoIt script to execute a shellcode that acts as a conduit to decrypt and launch DarkGate via a crypter (or loader).

Whereas Visual Basic Script payload uses cURL to retrieve the AutoIt executable and script file to execute the malware.

Infection Chain

On successful initialization of darkgate malware, the malware will write a copy of itself to disk and create a registry run key to persist execution between reboots.

It also can terminate the process when it gets detected by the AV and alters its behavior according to the well-known AV product.

The malware can query different data sources to obtain information about the operating system, the logged-on user, the currently running programs, and other things. 

The malware uses multiple legitimate freeware tools published by Nirsoft to extract confidential data.

The malware periodically polls the C2 server for new instructions, executes the received commands, and finally sends back the results to the C2 server.


SHA256 6e068b9dcd8df03fd6456faeb4293c036b91a130a18f86a945c8964a576c1c70

Keep informed about the latest Cyber Security News by following us on Google NewsLinkedinTwitter, and Facebook.


Latest articles

Trustifi’s Email Security Awareness Training – Empowering MSPs to Train & Protect Clients

In today's digital landscape, email security has become a critical concern for businesses of...

Personal Data Exposed in Massive Global Hack: Understanding the Implications & Guarding Privacy- Axios Security Group

In a digital age where information is the new currency, the recent global hack...

Ex-Security Engineer Jailed For Hacking Decentralized Cryptocurrency Exchanges

Ahmed exploited a vulnerability in a decentralized cryptocurrency exchange's smart contract by injecting fabricated...

Omni Hotels & Resorts Hack: Attackers have Stolen Customer Information

Omni Hotels & Resorts has revealed that it was the target of a recent...

Connect:fun Attacking Organizations Running Fortinet’s FortiClient EMS

A new exploit campaign has emerged, targeting organizations that utilize Fortinet’s FortiClient EMS.Dubbed...

TA558 Hackers Compromised 320+ Organizations’ FTP & SMTP Servers

TA558, a financially motivated threat actor identified in 2018, is targeting several countries but...

Blackjack Hackers Destroyed 87,000 Sensors Using Lethal ICS Malware

A group of cybercriminals known as "Blackjack" has launched a devastating attack on industrial...

Top 3 SME Attack Vectors

Securing the Top 3 SME Attack Vectors

Cybercriminals are laying siege to small-to-medium enterprises (SMEs) across sectors. 73% of SMEs know they were breached in 2023. The real rate could be closer to 100%.

  • Stolen credentials
  • Phishing
  • Exploitation of vulnerabilities

Related Articles