Home Researchers Shed Light on DarkGate Malware That Targeted Users from North America, Europe, and Asia
News

Researchers Shed Light on DarkGate Malware That Targeted Users from North America, Europe, and Asia

Krishi Chowdhary Journalist Author expertise
Disclosure
Disclosure
In our content, we occasionally include affiliate links. Should you click on these links, we may earn a commission, though this incurs no additional cost to you. Your use of this website signifies your acceptance of our terms and conditions as well as our privacy policy.

The Tech Report Why Trust Tech Report Arrow down

Tech Report is one of the oldest hardware, news, and tech review sites on the internet. We write helpful technology guides, unbiased product reviews, and report on the latest tech and crypto news. We maintain editorial independence and consider content quality and factual accuracy to be non-negotiable.

  • Researchers from Palo Alto Networks Unit 42, namely Vishwa Thothathri, Uday Pratap Singh, Yijie Sui, Anmol Maurya, and Brad Duncan, have shed light on the DarkGate malware campaign.
  • DarkGate has been available since 2018 as a malware-as-a-service (MaaS) model—and in March-April of this year, the malware was spread through Microsoft Excel files.
  • The most dangerous thing about this malware is it uses certain techniques, which make it hard to detect. Plus, it’s constantly evolving and coming out with new methods to evade detection.

Researchers Shed Light on DarkGate Malware That Targeted Users from North America, Europe, and Asia

A short-lived malware campaign, which distributed the DarkGate malware-as-a-service payload through the exploitation of Samba file shares, had hit Europe, North America, and certain parts of Asia between March and April this year.

Researchers from Palo Alto Networks Unit 42 have shed light on this incident. Security researchers Uday Pratap Singh, Vishwa Thothathri, Yijie Sui, Brad Duncan, and Anmol Maurya are the ones who made this discovery.

“This was a relatively short-lived campaign that illustrates how threat actors can creatively abuse legitimate tools and services to distribute their malware.”

About DarkGate

Written in Borland Delphi, DarkGate has been available since 2018 as a malware-as-a-service (MaaS) model. Simply put, this malware was available for purchase to other threat actors so that even those without coding or any technical skills could target their victims.

There were a number of ways to use DarkGate. Malicious actors could use it to launch reverse shells, mine cryptocurrency, execute codes, remotely control compromised hosts, or drop additional payloads.

Read more: FakeBat loader malware becomes #1 cyberthreat in 2024

About This Attack

The attack started in March 2024, first in North America and then spreading to Europe, Africa, and Asia. These attacks peaked on 9th April, where, in just one day, more than 2,000 samples were detected.

For this particular attack, the threat actors used Microsoft Excel files.

  • When a victim opened the .xlsx file, they were shown a template containing where the ‘Open’ button was linked to another object.
  • As soon as they clicked the button, the file redirected to that malicious web address, retrieved some files, and ran it on the victim’s device.
  • The compromised URL (the one that was attached to the Open button) points to a Samba/SMB share that’s publicly accessible and hosts a VBS file.
  • In some of the attacks, researchers have also found attackers distributing JavaScript files from Samba shares.
The worst bit is that these attacks were extremely difficult to detect. The malware scanned to see if there were any anti-malware programs present on the device. It also checked the CPU information. This helped it determine if it’s running on a physical host or a virtual environment, which in turn allows it to hinder analysis.

On top of that, it checked the host’s running processes and looked for the presence of reverse engineering tools, debuggers, or any virtualization software.

Last but not least, the researchers said, “DarkGate C2 traffic uses unencrypted HTTP requests, but the data is obfuscated and appears as Base64-encoded text.” This further helped it evade detection.

The Tech Report - Editorial ProcessOur Editorial Process

The Tech Report editorial policy is centered on providing helpful, accurate content that offers real value to our readers. We only work with experienced writers who have specific knowledge in the topics they cover, including latest developments in technology, online privacy, cryptocurrencies, software, and more. Our editorial policy ensures that each topic is researched and curated by our in-house editors. We maintain rigorous journalistic standards, and every article is 100% written by real authors.

Question & Answers (0)

Have a question? Our panel of experts will answer your queries. Post your Question

Leave a Reply

Write a Review

Your email address will not be published. Required fields are marked *

Krishi Chowdhary Journalist

Krishi Chowdhary Journalist

Krishi is an eager Tech Journalist and content writer for both B2B and B2C, with a focus on making the process of purchasing software easier for businesses and enhancing their online presence and SEO.

Krishi has a special skill set in writing about technology news, creating educational content on customer relationship management (CRM) software, and recommending project management tools that can help small businesses increase their revenue.

Alongside his writing and blogging work, Krishi's other hobbies include studying the financial markets and cricket.