Dark Gate’s Malware Volume Campaign is rented out to Affiliates

A new malicious spam activity has been detected, involving deploying an off-the-shelf malware named DarkGate.

“This recent surge in DarkGate malware operations is believable because the malware developer has recently begun renting it out to a select group of associates,” stated a Telekom Security report released just last week.

🔍 Intrusion Analysis Thread from our private reports | DarkGate, Cobalt Strike, and BianLian:

1/ 🚨 Overview:

We observed a suspicious MSI file executed, leading to the deployment of DarkGate, Cobalt Strike, and BianLian malware. Let us dive deeper.

— The DFIR Report (@TheDFIRReport) August 21, 2023

Discovery Point

This report builds upon recent discoveries by a security researcher who unveiled a “high-volume campaign.” This campaign cleverly exploits compromised email conversations to deceive recipients into unwittingly downloading the malware.

• The attack sequence begins with a phishing link that, upon being clicked, goes through a traffic routing system (TDS). 
• This leads the victim to an MSI payload, but only under specific conditions, such as the presence of a refresh header in the HTTP response.

• When the MSI file is opened, a multi-stage process is triggered. This involves an AutoIt script that initiates shellcode, which acts as a bridge to decrypt and launches DarkGate via a crypter (or loader).

Please see this blog post for some of my recent work of analyzing the #DarkGate malware 🙂 https://t.co/0scPkEwSx0

— Fabian Marquardt (@marqufabi) August 25, 2023

Variations to attack

In a slightly different variation, attackers have been observed using a Visual Basic Script instead of an MSI file. This script, in turn, employs cURL to retrieve the AutoIt executable and script file. The exact method of delivering the VB Script remains unknown.

The malware is open to sale

DarkGate, primarily sold on underground forums by an individual known as RastaFarEye, boasts abilities to slip under the radar of security software, establish persistence through Windows Registry alterations, elevate privileges, and steal data from web browsers as well as applications like Discord and FileZilla.

The malware also establishes communication with a command-and-control (C2) server, enabling actions such as file enumeration, data theft, cryptocurrency mining, remote screenshots, and execution of various commands.

DarkGate is available as a subscription, ranging from $1,000 per day to $15,000 per month and even up to $100,000 annually. The author touts it as the “ultimate tool for pentesters/redteamers” with unparalleled features. Interestingly, previous versions of DarkGate also included a ransomware module.

High Alert! Phishing attacks to be aware of

Phishing attacks remain a primary conduit for distributing stealers, trojans, and malware loaders. Threat actors continually augment these tools with new capabilities to expand their scope.

A recent report by HP Wolf Security highlighted that email remains the top method for delivering malware to endpoints, accounting for 79% of identified threats in the second quarter of 2023.

Cybercriminals’ economic resilience and adaptability are worth noting. They keep us amazed with the best tools used for intrusions. What’s our take to fight back?