The Continued Evolution of the DarkGate Malware-as-a-Service

MITRE Techniques

• [T1566.001] Phishing: Spearphishing Attachment – The initial access vector via phishing emails that distribute the infection vector. “DarkGate campaigns primarily leverage phishing emails containing links to distribute the initial infection vector.”
• [T1566.002] Phishing: Spearphishing Link – Follow-on spearphishing where links deliver the payload, including a Teams-based lure described in the article.
• [T1059.003] Command and Scripting Interpreter: Windows Command Shell – The infection chain uses a Windows batch script to download and execute payloads, including a VBS script and CScript.exe execution. “Windows Batch script … execute it.”
• [T1059.001] Command and Scripting Interpreter: PowerShell – Indirectly supported via loader activities that fetch and run scripts and payloads via command interpreters.
• [T1547.001] Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder – DarkGate uses Startup folder copies and Run keys for persistence. “will create a copy of itself in the Startup folder … Run.”
• [T1055.012] Process Injection: Process Hollowing – Variant uses process hollowing to hide and run the malicious payload. “Create suspended process and NtGetContextThread call used to achieve Process Hollowing.”
• [T1574.002] Hijack Execution Flow: DLL Side-Loading – DarkGate v5 uses DLL side-loading with a trojanized DLL (KeyScramblerE.dll) to run code. “KeyScrambler application loads a trojanized DarkGate version of ‘KeyScramblerE.dll’.”
• [T1027.007] Masquerading: Masquerade File Type / [T1036.007] Masquerading: Double File Extension – The malware uses double extensions like “.pdf.lnk” to masquerade as legitimate files. “masquerade a PDF file using the double extension method, ‘.pdf.lnk’.”
• [T1132.002] Data Encoding: Non-Standard Encoding – DarkGate uses custom Base64 alphabets and later, non-ASCII encodings to hinder analysis. “This encoding follows the same approach, a Base64 encoding with custom alphabets.”
• [T1219] Remote Access Software – DarkGate is presented as a RAT with comprehensive remote control features. “DarkGate is a complete toolkit that provides attackers with extensive capabilities to fully compromise victim systems.”
• [T1071.001] Application Layer Protocol: Web Protocols – C2 communications over web protocols and centralized command and control channels. “C2 servers … Web Protocols.”
• [T1005] Data from Local System / [T1113] Screen Capture – DarkGate captures data and screens as part of its data collection.