- Researchers from Palo Alto Networks Unit 42, namely Vishwa Thothathri, Uday Pratap Singh, Yijie Sui, Anmol Maurya, and Brad Duncan, have shed light on the DarkGate malware campaign.
- DarkGate has been available since 2018 as a malware-as-a-service (MaaS) model—and in March-April of this year, the malware was spread through Microsoft Excel files.
- The most dangerous thing about this malware is it uses certain techniques, which make it hard to detect. Plus, it’s constantly evolving and coming out with new methods to evade detection.
A short-lived malware campaign, which distributed the DarkGate malware-as-a-service payload through the exploitation of Samba file shares, had hit Europe, North America, and certain parts of Asia between March and April this year.
Researchers from Palo Alto Networks Unit 42 have shed light on this incident. Security researchers Uday Pratap Singh, Vishwa Thothathri, Yijie Sui, Brad Duncan, and Anmol Maurya are the ones who made this discovery.
“This was a relatively short-lived campaign that illustrates how threat actors can creatively abuse legitimate tools and services to distribute their malware.”
About DarkGate
Written in Borland Delphi, DarkGate has been available since 2018 as a malware-as-a-service (MaaS) model. Simply put, this malware was available for purchase to other threat actors so that even those without coding or any technical skills could target their victims.
There were a number of ways to use DarkGate. Malicious actors could use it to launch reverse shells, mine cryptocurrency, execute codes, remotely control compromised hosts, or drop additional payloads.
Read more: FakeBat loader malware becomes #1 cyberthreat in 2024
About This Attack
The attack started in March 2024, first in North America and then spreading to Europe, Africa, and Asia. These attacks peaked on 9th April, where, in just one day, more than 2,000 samples were detected.
For this particular attack, the threat actors used Microsoft Excel files.
- When a victim opened the .xlsx file, they were shown a template containing where the ‘Open’ button was linked to another object.
- As soon as they clicked the button, the file redirected to that malicious web address, retrieved some files, and ran it on the victim’s device.
- The compromised URL (the one that was attached to the Open button) points to a Samba/SMB share that’s publicly accessible and hosts a VBS file.
- In some of the attacks, researchers have also found attackers distributing JavaScript files from Samba shares.
On top of that, it checked the host’s running processes and looked for the presence of reverse engineering tools, debuggers, or any virtualization software.
Last but not least, the researchers said, “DarkGate C2 traffic uses unencrypted HTTP requests, but the data is obfuscated and appears as Base64-encoded text.” This further helped it evade detection.
Our Editorial Process
Our Editorial Process
Share
Krishi Chowdhary
Journalist
Question & Answers (0)