Sunday, February 9, 2025
HomeCyber Security NewsDarkGate Loader Delivered Through Stolen Email Threads to Lure Victims

DarkGate Loader Delivered Through Stolen Email Threads to Lure Victims

Published on

SIEM as a Service

Follow Us on Google News

The research revealed high malspam activity of DarkGate malware distributed via phishing emails to the users either through MSI files or VBs script payloads.

Darkgate malware has been active since 2018 and has the ability to download and execute files to memory, a Hidden Virtual Network Computing (HVNC) module, keylogging, information-stealing capabilities, and privilege escalation.

A user RastaFarEye has been advertising DarkGate Loader on the xss[.]is an exploit[.]in cybercrime forums since June 16, 2023, with different pricing models.

“The current spike in DarkGate malware activity is plausible given the fact that the developer of the malware has recently started to rent out the malware to a limited number of affiliates,” Telekom Security said.

Attack Execution

Initially, phishing emails distributed the payload with either the MSI variant or the VBScript variant.

The attack commences from clicking on the phishing URL which redirects the user to the phishing site via a Traffic distribution system(TDS).

Subsequently, the MSI file will be downloaded, which executes the AutoIt script to execute a shellcode that acts as a conduit to decrypt and launch DarkGate via a crypter (or loader).

Whereas Visual Basic Script payload uses cURL to retrieve the AutoIt executable and script file to execute the malware.

Infection Chain

On successful initialization of darkgate malware, the malware will write a copy of itself to disk and create a registry run key to persist execution between reboots.

It also can terminate the process when it gets detected by the AV and alters its behavior according to the well-known AV product.

The malware can query different data sources to obtain information about the operating system, the logged-on user, the currently running programs, and other things. 

The malware uses multiple legitimate freeware tools published by Nirsoft to extract confidential data.

The malware periodically polls the C2 server for new instructions, executes the received commands, and finally sends back the results to the C2 server.

IOC

SHA256 6e068b9dcd8df03fd6456faeb4293c036b91a130a18f86a945c8964a576c1c70

Keep informed about the latest Cyber Security News by following us on Google NewsLinkedinTwitter, and Facebook.

Latest articles

UK Pressures Apple to Create Global Backdoor To Spy on Encrypted iCloud Access

United Kingdom has reportedly ordered Apple to create a backdoor allowing access to all...

Autonomous LLMs Reshaping Pen Testing: Real-World AD Breaches and the Future of Cybersecurity

Large Language Models (LLMs) are transforming penetration testing (pen testing), leveraging their advanced reasoning...

Securing GAI-Driven Semantic Communications: A Novel Defense Against Backdoor Attacks

Semantic communication systems, powered by Generative AI (GAI), are transforming the way information is...

Cybercriminals Target IIS Servers to Spread BadIIS Malware

A recent wave of cyberattacks has revealed the exploitation of Microsoft Internet Information Services...

Supply Chain Attack Prevention

Free Webinar - Supply Chain Attack Prevention

Recent attacks like Polyfill[.]io show how compromised third-party components become backdoors for hackers. PCI DSS 4.0’s Requirement 6.4.3 mandates stricter browser script controls, while Requirement 12.8 focuses on securing third-party providers.

Join Vivekanand Gopalan (VP of Products – Indusface) and Phani Deepak Akella (VP of Marketing – Indusface) as they break down these compliance requirements and share strategies to protect your applications from supply chain attacks.

Discussion points

Meeting PCI DSS 4.0 mandates.
Blocking malicious components and unauthorized JavaScript execution.
PIdentifying attack surfaces from third-party dependencies.
Preventing man-in-the-browser attacks with proactive monitoring.

More like this

UK Pressures Apple to Create Global Backdoor To Spy on Encrypted iCloud Access

United Kingdom has reportedly ordered Apple to create a backdoor allowing access to all...

Autonomous LLMs Reshaping Pen Testing: Real-World AD Breaches and the Future of Cybersecurity

Large Language Models (LLMs) are transforming penetration testing (pen testing), leveraging their advanced reasoning...

Securing GAI-Driven Semantic Communications: A Novel Defense Against Backdoor Attacks

Semantic communication systems, powered by Generative AI (GAI), are transforming the way information is...