Cisco Talos reports a spike in malspam campaigns delivering DarkGate via suspicious Excel attachments, using Remote Template Injection to trigger downloads and in-memory execution of the payload. The campaigns have evolved to replace AutoIT with AutoHotKey, enabling in-memory execution without disk writes, and continue to adapt to evade detection. #DarkGate #RemoteTemplateInjection
Keypoints
- The campaigns, active since the second week of March, use Excel attachments to deliver DarkGate malware.
- Attackers employ Remote Template Injection to bypass email security and entice users to download and run malicious content.
- DarkGate has historically used AutoIT scripting, but recent activity switches to AutoHotKey (AHK) scripts.
- The final payload is designed to execute in-memory, running from within the AutoHotKey.exe process, with no disk writes.
- Infection chains involve VBS and PowerShell steps retrieved from attacker-controlled servers, often with external SMB references.
- Persistence is achieved via startup shortcuts, and campaigns have targeted sectors including healthcare tech and telecommunications, primarily in the U.S.
MITRE Techniques
- [T1566.001] Spearphishing Attachment β The Excel documents lure recipients to open and execute remote payloads. β βOur telemetry indicates malspam emails were the primary source of delivery for this campaign.β
- [T1221] Template Injection β Remote Template Injection exploits external Excel templates to trigger downloads/execution of malicious content. β βRemote Template Injection is an attack technique that exploits a legitimate Excel functionality wherein templates can be imported from external sources to expand a documentβs functions and features.β
- [T1059] Command and Scripting Interpreter β AutoHotKey scripts are used to run the payload, replacing prior AutoIT usage. β βOn March 12, 2024, the DarkGate campaign transitioned from deploying AutoIT scripts to employing AutoHotKey scripts.β
- [T1140] Deobfuscate/Decode Files or Information β A base64 blob in test.txt is decoded to binary data used to load the DarkGate payload in memory. β β Within this file, there is base64-encoded blob that, when decoded, transforms into binary data. This binary data is then processed to execute the DarkGate malware payload directly within memory on infected systems.β
- [T1071] Command and Control β PowerShell and VBS steps fetch and execute next-stage components from the DarkGate C2 server. β βThis PowerShell script retrieves the next stageβs components and executes them.β and βThe VBS file is appended with a command that executes a PowerShell script from the DarkGate command and control (C2) server.β
- [T1547.001] Boot or Logon Autostart Execution β Persistence via a Startup folder shortcut is established to survive reboots. β βPersistence across reboots is established through the creation of a shortcut file within the Startup directory on the infected system.β
Indicators of Compromise
- [Domain] β badbutperfect[.]com, withupdate[.]com, irreceiver[.]com, backupitfirst[.]com, goingupdate[.]com, buassinnndm[.]net β examples shown in the configuration parameters and embedded content; used to host remote payloads.
- [Filename] β march-D%-2024.xlsx, march-D5676-2024.xlsx, ACH-%March.xlsx, ACH-5101-15March.xlsx β representative Excel attachments observed in campaigns.
- [Startup Shortcut] β DfAchhd.lnk β Startup folder persistence mechanism observed in the startup execution table.
- [File] β hafbccc.ahk, AutoHotKey.exe, test.txt β components used in the final stage and in-memory execution.
- [Test Data] β test.txt containing a base64 blob used to load and execute DarkGate in memory.
Read more: https://blog.talosintelligence.com/darkgate-remote-template-injection/