DarkGate Malware Activity Spikes as Developer Rents Out Malware to Affiliates

Cyber Security Threat Summary:
A new malspam campaign has been observed deploying an off-the-shelf malware called DarkGate. ‘The current spike in DarkGate malware activity is plausible given the fact that the developer of the malware has recently started to rent out the malware to a limited number of affiliates,’ Telekom Security said in a report published last week. The latest report builds on recent findings from security researcher Igal Lytzki, who detailed a "high volume campaign" that leverages hijacked email threads to trick recipients into downloading the malware. The attack commences with a phishing URL that, when clicked, passes through a traffic direction system (TDS) to take the victim to an MSI payload subject to certain conditions. This includes the presence of a refresh header in the HTTP response. Opening the MSI file triggers a multi-stage process that incorporates an AutoIt script to execute shellcode that acts as a conduit to decrypt and launch DarkGate via a crypter (or loader). Specifically, the loader is designed to parse the AutoIt script and extract the encrypted malware sample” (The Hacker News, 2023). Security Officer Comments:
DarkGate is currently being advertised on underground forums for $1000 per day, $15,000 per month, and $100,000 per year. For its part, the malware is capable of evading detection by security solutions, abusing the Windows registry for persistence, escalating privileges to SYSTEM, and exfiltrating data from web browsers and applications like Discord and FileZilla. DarkGate also supports various C2 commands which provide the following features:

  • Information gathering: Collect system information or other relevant data
  • Self-management: Start or stop malware components, control malware settings
  • Self-update: Update the malware, download additional components
  • Stealer: Steal data from various programs and data sources
  • Cryptominer: Start, stop and configure cryptominer
  • RAT: Initiate VNC connection, capture screenshots, execute commands
  • File management: Browse directories, download files from the victim system
Suggested Correction(s):
With email being the initial infection vector, users should adhere to the follow recommendations:
  • Do not open emails or download software from untrusted sources<
  • Do not click on links or attachments in emails that come from unknown senders<
  • Do not supply passwords, personal, or financial information via email to anyone (sensitive information is also used for double extortion)<
  • Always verify the email sender's email address, name, and domain<
  • Backup important files frequently and store them separately from the main system<
  • Protect devices using antivirus, anti-spam and anti-spyware software<
  • Report phishing emails to the appropriate security or I.T. staff immediately<