Threat Research

DarkGate again but… Improved?

Securonix

DarkGate resurged in 2023 with a feature-rich comeback and evolved into DarkGate v6 in early 2024, aiming to stay under security radar. A March update introduced a new final-stage delivery using AutoHotKey to execute the payload, while the author RastaFarEye continues MaaS distribution despite underground bans. #DarkGate #RastaFarEye #AutoHotKey

Keypoints

  • DarkGate had a notable comeback in 2023 and released DarkGate v6 early 2024 with a major code rewrite and enhanced evasion capabilities.
  • A new five-stage execution chain in March 2024 uses AutoHotKey to run the final DarkGate payload, marking a shift from earlier AutoIt3 and DLL sideloading techniques.
  • The operator, RastaFarEye, remains active in MaaS despite underground bans and has used new monikers to sell tools, such as Bordislav and authpress.
  • DarkGate v6 encrypts its configuration, adds new persistence and evasion features, and introduces updated commands and rootkit-like security-bypass techniques.
  • Some traditional features were removed or toned down (e.g., privilege escalation, cryptomining, hvnc), while the command set expanded to 77 commands with new distribution and evasion capabilities.
  • There are indications of new affiliates or accounts being created in underground forums to broaden distribution and support development.

MITRE Techniques

  • [T1566.001] Phishing – The initial stage uses phishing emails containing either an Excel or an HTML document as attachment. ‘The initial stage … phishing emails containing either an Excel or an HTML document as attachment.’
  • [T1204.002] User Execution: Malicious File – Opening the document prompts editing and macro execution: ‘The user opens them, some message urging the victim to enable editing of the document’ and then ‘VBScript macro will be downloaded from the Internet via SMB using the remote template injection technique.’
  • [T1059.001] PowerShell – The third stage is a PowerShell script that downloads additional components: ‘the third stage will consist of a Powershell script, then the fourth one is executed, the AutoHotKey script…’
  • [T1059.005] Visual Basic – The campaign uses Visual Basic Script (VBScript) as the second stage: ‘a Visual Basic Script (VBScript)…’
  • [T1547.001] Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder – DarkGate v6 introduces persistence and rootkit-like behavior to bypass security software: ‘Set up persistence in the system, ensuring bypass of security software (previously known as the “rootkit” module)’.
  • [T1055.012] Process Injection: Process Hollowing – DarkGate v6 uses advanced evasion including process hollowing as part of rootkit-like persistence: ‘AddressOfEntryPoint injection technique’ image caption notes this technique. ‘Figure 15: AddressOfEntryPoint injection technique implemented in DarkGate v6.’
  • [T1574.002] DLL Side-Loading – The payload is deployed inside a DLL (sqlite3.dll), enabling a DLL side-loading attack: ‘Indicates that the payload was deployed inside a DLL called sqlite3.dll, performing this way a DLL side-loading attack’.
  • [T1027.007] Dynamic API Resolution – DarkGate employs techniques to evade defenses by changing how APIs are resolved at runtime. ‘Defense Evasion … Dynamic API Resolution’.
  • [T1027.009] Embedded Payloads – DarkGate uses embedded payload delivery techniques to conceal the final stage. ‘Embedded Payloads’.
  • [T1134.004] Access Token Manipulation: Parent PID Spoofing – DarkGate’s evasion and persistence involve manipulating process tokens via parent PID spoofing. ‘Access Token Manipulation: Parent PID Spoofing’.
  • [T1113] Screen Capture – DarkGate’s capabilities include data collection such as screen capture. ‘Screen Capture’.
  • [T1056.001] Credentials from Web Browsers – The toolkit collects credentials from browsers as part of data theft. ‘Credentials from Web Browsers’.
  • [T1071.001] Application Layer Protocol: Web Protocols – C2 communications leverage web protocols to exfiltrate data. ‘Application Layer Protocol: Web Protocols’.
  • [T1041] Exfiltration Over C2 Channel – Data exfiltration occurs over the C2 channel. ‘Exfiltration’.
  • [T1489] Service Stop / T1529 System Shutdown/Reboot – DarkGate can impact systems by forcing shutdowns and BSODs. ‘System Shutdown/Reboot’.

Indicators of Compromise

  • [Hash] MD5 – 12018c2af0600fc1f1a75842a1d4f7777001fadb65f93125e479ec9b949e1773, 9c9e93fae0cb9bd2075b01f48b6720749747502b73e5f97d5ec00c1ea6c82c4a
  • [Domain] nextroundst.com – initial stages network IOCs referencing attacker infrastructure and downloader; ‘nextroundst[.]com’ appear in IoCs.
  • [Domain] rourtmanjsdadhfakja.com – another downloader/domain listed in IoCs.
  • [IP] 103.124.106.237 – an IoC used in network indicators.
  • [IP] 45.140.146.2:443 – another IoC with port, listed among network indicators.
  • [URL] http://nextroundst.com/qzaugqmb – example downloader URL referenced in IoCs.
  • [URL] http://goingupdate.com/ptoleqco – example downloader URL referenced in IoCs.
  • [Domain] adfhjadfbjadbfjkhad44jka.com – DarkGate payload domain indicated in IoCs.
  • [Domain] backupitfirst.com – DarkGate payload domain indicated in IoCs.

Read more: https://www.trellix.com/blogs/research/darkgate-again-but-improved/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint