Threat Research

DarkGate: Dancing the Samba With Alluring Excel Files

Unit42

DarkGate’s March–April 2024 operation used Microsoft Excel files to pull a malware package from public Samba shares, illustrating how threat actors abuse legitimate tools for infection. The campaign underscores the evolution of DarkGate into a MaaS offering and its adaptiveness after the Qakbot disruption. Hashtags: #DarkGate #Samba #PowerShell #VBScript #JavaScript

Keypoints

  • March–April 2024 campaign leveraged Excel workbooks with embedded objects to trigger downloads from Samba/SMB shares hosting VBS and JS payloads.
  • Infection chain proceeds from Excel opening, via drawing.xml.rels, to remote VBS/JS, then PowerShell, and finally the AutoHotKey-based DarkGate package.
  • Campaigns rely on legitimate tooling (AutoIt/AutoHotkey/PowerShell) and publicly accessible SMB shares, broadening geographic impact (NA, Europe, parts of Asia).
  • DarkGate employs robust anti-analysis techniques, including CPU checks, running-process enumeration, and VM/sandbox detection.
  • Anti-malware checks enumerate many security products and directories to tailor or evade defenses; newer variants also detect Defender and SentinelOne.
  • Configuration data is decrypted at runtime with hard-coded XOR keys, enabling campaign-specific behavior (e.g., campaign_id like admin888) and multiple XOR keys across samples.
  • Command-and-control traffic is HTTP-based, unencrypted but obfuscated/Base64-encoded, with evidence of data exfiltration in the March 2024 infection run.

MITRE Techniques

  • [T1059.001] PowerShell – “PowerShell script downloads three files and uses them to start the AutoHotKey-based DarkGate package.” – This shows PowerShell as the conduit to fetch and execute payloads.
  • [T1059.005] VBScript – “EXCEL_OPEN_DOCUMENT.vbs contains a large amount of junk code related to printer drivers, but the important script that retrieves and runs the follow-up PowerShell script is highlighted below in Figure 5.”
  • [T1059.007] JavaScript – “the JavaScript shows a similar function to retrieve and run the follow-up PowerShell script.”
  • [T1105] Ingress Tool Transfer – “This URL points to a Samba/SMB share that is publicly accessible and hosts a VBS file.”
  • [T1027] Obfuscated/Compressed Files and Information – “The final DarkGate binary is deobfuscated from test.txt and run from system memory… obfuscated.”
  • [T1518.001] Security Software Discovery – “Table 1 lists the anti-malware programs and their corresponding directory paths or filenames.”
  • [T1057] Process Discovery – “DarkGate malware… scans the host’s running processes… to ensure normal Windows processes are running, but no processes that could be used for malware analysis or VM.”
  • [T1497] Virtualization/Sandbox Evasion – “Checking CPU Information as an Anti-Analysis Technique” and the CPU-check routine to detect VM environments.
  • [T1562.001] Impair Defenses – “checks for Kaspersky anti-malware software… downloads AutoHotKey.exe; uses hex-decoding as evasion.”
  • [T1036] Masquerading – “These names are designed to suggest something official/important.”
  • [T1071.001] Web Protocols – “DarkGate C2 traffic uses unencrypted HTTP requests… and Base64-encoded text.”

Indicators of Compromise

  • [SHA256 Hash] Initial lures – 378b000edf3bfe114e1b7ba8045371080a256825f25faaea364cf57fa6d898d7, ba8f84fdc1678e133ad265e357e99dba7031872371d444e84d6a47a022914de9 (XLSX files containing embedded objects pointing to SMB URLs hosting JS/VBS files)
  • [File] Lure/Script files – EXCEL_OPEN_DOCUMENT.vbs, 11042024_1545_EXCEL_DOCUMENT_OPEN.js
  • [Domain] C2/download hosts – updateleft.com, wear626.com
  • [IP] C2 server – 78.142.18.222
  • [URL] Example download/command URLs – hxxp://nextroundst[.]com/aa, hxxp://adfhjadfbjadbfjkhad44jka[.]com/aa
  • [SHA256 Hash] PowerShell/loader hashes – 9b2be97c2950391d9c16497d4362e0feb5e88bfe4994f6d31b4fda7769b1c780, 9a2a855b4ce30678d06a97f7e9f4edbd607f286d2a6ea1dde0a1c55a4512bb29

Read more: https://unit42.paloaltonetworks.com/darkgate-malware-uses-excel-files/