DarkGate Malware Targets Excel Files & SMB Shares

A March-April 2024 DarkGate malware campaign leveraged exposed SMB file shares to distribute malicious Excel documents, which demonstrates how threat actors can exploit legitimate tools for malware distribution. 

The campaign used AutoIt or AutoHotkey scripts for infection, targeting primarily North America, Europe, and Asia, representing one of many tactics used to distribute DarkGate since August 2023. 

The Excel files hosted malicious code that downloaded and executed a VBS or JavaScript script from public Samba shares, which in turn, fetched and ran a PowerShell script. 

This PowerShell script downloaded components for the AutoHotKey-based DarkGate malware, employing evasion techniques like checking for Kaspersky antivirus and obfuscating shellcode, while the final DarkGate payload was executed from memory.

DarkGate malware employs anti-analysis techniques to evade detection, by checking the victim’s CPU to differentiate between virtual environments and physical systems, potentially halting operations in controlled environments. 

It scans for multiple anti-malware programs, including Bitdefender, SentinelOne, Avast, and others, to avoid triggering their detection mechanisms. 

To counter these techniques, analysts should focus on understanding DarkGate’s shellcode to identify its functionality and develop methods to bypass its anti-analysis measures. 

The malware evades detection by scrutinizing system processes for anti-malware, debugging tools, and virtualization indicators, tailoring its behavior based on this information. 

It employs a complex configuration encryption scheme involving XOR keys, which vary even among samples with identical campaign identifiers and C2 servers, likely to hinder analysis. 

While some configuration fields remain obscure, others, like the campaign identifier, offer insights into the malware’s operational context. 

DarkGate malware uses unencrypted HTTP requests with Base64-encoded and obfuscated data for C2 communication, which includes a campaign identifier and XOR key, but multiple samples can share the same campaign identifier and C2 server with varying XOR keys. 

Additionally, it exhibits data exfiltration capabilities, sending large amounts of Base64-encoded data through HTTP POST requests to its C2 server. 

A sophisticated and adaptable threat, has emerged as a potential successor to Qakbot. Employing advanced infection techniques, including phishing and exploitation of publicly accessible Samba shares, DarkGate demonstrates resilience and a capacity for evolution. 

According to Unit42, its MaaS model and ability to bypass security measures underscore the critical need for robust cybersecurity defenses against this persistent and complex threat. 

Also Read:

• Akira Ransomware Devastates Airlines Using Legit Tools
• BianLian Ransomware Exploits RDP Credentials for Initial Access