DarkGate Malware Returns
September 7, 2023
Topics
- Malware
- phishing campaign
September 7, 2023
Topics
In the past couple of months, researchers observed an uptick in malware being delivered to end users through a malspam campaign. Malspam is a term given to spam emails that contain malicious links, contents, or files. One such malware that is currently being spread through malspam is DarkGate. Recently, researchers have begun to investigate new cases of this malware which began spreading in June 2023.
The malware known as DarkGate was first discovered in the wild back in 2018 and then again in 2020 by enSilo (now Fortinet). At this time, it was known for crypto mining and endpoint compromise. During its original debut, it was spread through torrent sites. After 3 years, new cases of this malware started to drop. However, in June 2023 - August 2023 new cases of this malware have begun to once again be reported.
Recently, this new version of the malware has been reported to be spread through malspam phishing campaigns. Some of the new features of this updated version of the malware include the tools necessary for credential harvesting, defense evasion, privilege escalation, persistence, data harvesting, and crypto-mining. Something to note is that this new version of DarkGate is not a free, open-source malware toolkit. Instead, it is operating on a paid subscription model that is being distributed by one individual.
An individual who goes by the name of RastaFarEye is the threat actor responsible for the recent uptick in DarkGate cases. This malicious hacker is renting out the malware on a subscription basis to a limited number of individuals via dark web forums. The actor was first seen promoting the new malware on the XSS dark web forum.
The recently detected version of DarkGate has been distributed through phishing emails. The multi-step process of how attackers can compromise a victim’s machine is shown below. Something interesting about the phishing emails that have been reported is that they also contain some social engineering tactics. The attackers have been reported to include elements of previous conversation threads of the victims that they have access to. This is the challenging part of the phishing method that is employed by adversaries spreading this malware. If individuals see content that they remember, they are more likely to fall for this attack.
Another version of the attack has been reported to use a Visual Basic Script instead of an MSI file, however, at this time, it is not clear how the VB script is spread.
Another method of infection is through a technique called SEO poisoning. Search engine optimization poisoning is a type of malvertising where threat actors increase the prominence of their malicious websites to get consumers to click on them. In other words, attackers use SEO poisoning to make their website appear toward the top of the list when consumers search for specific words or phrases in a search engine. In the case of the DarkGate malware, attackers can set up malicious sites that look legitimate to consumers, but when the consumer clicks on the link, they will be redirected to a decoy page which will initiate a download of the AutoIT payload. It then follows the same steps of installation as the phishing URL method.
To protect against malware such as DarkGate, it is important that proper training is administered within the organization. Since it is predominantly spread through phishing emails, it is important that proper phishing training is enforced. This training should be administered once per year at minimum but having it 2-3 times per year would be even more beneficial. Combined with this, there should also be social engineering training since the phishing emails sent by attackers contain elements of social engineering.
Antivirus is also important in protecting against Darkgate as well as other malware. Making sure that all endpoints have proper antivirus and endpoint protection enabled is a good proactive measure in keeping your organization secure. Another thing to keep in mind is to constantly check to make sure your antivirus is up to date.
The last thing that may be beneficial in keeping your organization secure against threats such as Darkgate is research. You should always keep up to date on the latest cybersecurity trends. Keeping yourself informed on the latest vulnerabilities and threats is not only a good way to keep your organization protected but it is also a great way to continue learning about different topics which you may not have known about previously.
Overall, the Darkgate malware is a highly dangerous tool that can allow threat actors to perform many different tasks. This new variant of the malware has already begun to make headlines, and without a doubt, it will continue to do so for quite some time. Given the price tag of acquiring this malware toolkit, it is not yet clear if this new variant will have widespread use unlike many other malware toolkits available on the dark web. Whatever the case may be, one thing is clear, this malware should not be taken lightly as there have already been multiple reports of this malware being detected even with only a few threat actors having access to this toolkit. That being said, we must take proactive measures when available to keep our organizations protected against threats such as this one.