DarkGate uses a multi-stage AutoIt-based loader chain to install its malware starting from malicious PDFs that deliver CAB and MSI components, followed by obfuscated AutoIt scripts and payload decryption. The write-up covers the loader flow, four execution phases, notable TTPs, an Atomic Test, detections, and IOCs to aid defenders. #DarkGate #AutoIt #PSEXEC #CryptoMiner #DLLSideLoading
Keypoints
- The PDF acts as a carrier that triggers a sequence where a malicious CAB file is downloaded, which then fetches an MSI containing the DarkGate payload.
- Obfuscated AutoIt scripting and multi-stage payloads conceal the decryption and loading process, complicating signature-based detection.
- The MSI executes a CAB that contains windbg.exe and dbgeng.dll used in DLL side-loading to reach the next stage.
- A decrypted data.bin leads to an AutoIt loader (AutoIt3.exe) and a compiled script (script.au3), both dropped in C:tmpa and executed via command line.
- The final loader uses shellcode with an embedded MZ header to decrypt the DarkGate binary using an 8-byte key located after the AU3!EA06 string.
- Beyond infection, DarkGate shows lateral movement (PSEXEC), crypto-mining capability, proxy setup, and RDP registry modifications as additional tactics.
MITRE Techniques
- [T1059] Command and Scripting Interpreter – AutoIt-based loading and execution of script.au3; “The first decoded file resulting from the base64 process is a valid Autoit3.exe, employed to execute the second file: a compiled AutoIt script named script.au3.”
- [T1027] Obfuscated/Encrypted Data – Obfuscated AutoIt scripting and base64-encoded data with a custom charset used to decrypt payloads; “leverages obfuscated AutoIt scripting, complicating its identification through traditional signature-based methods.”
- [T1105] Ingress Tool Transfer – Multi-stage download chain starting with a malicious PDF, leading to CAB and MSI downloads; “The PDF file acts as a carrier, triggering a sequence where a malicious CAB file is downloaded. This CAB file, in turn, fetches a .MSI file.”
- [T1574.002] Hijack Execution Flow: DLL Side-Loading – DLL side-loading via windbg.exe to load dbgeng.dll and process data.bin; “Exploiting DLL Side-Loading Through Wndbg.exe.”
- [T1021.002] Lateral Movement: SMB/Windows Admin Shares – PSEXEC usage for privilege escalation and potential lateral movement; “DarkGate leverages PSEXEC for its privilege escalation capabilities and potentially for lateral movement within compromised networks.”
- [T1496] Resource Hijacking – CryptoMiner deployment to monetize compromised hosts; “DarkGate possesses the capability to download and install a malicious CryptoMiner malware on the compromised host.”
- [T1090] Proxy – Proxy setup to anonymize communications and obscure the attack source; “This malware will also try to enable proxy and set up a proxy server in the compromised host to anonymize its communications.”
- [T1021.001] Remote Services: Remote Desktop Protocol – Registry and configuration changes to support remote access via RDP; “manipulates multiple registry settings related to Remote Desktop Protocol (RDP) configurations on the compromised host.”
Indicators of Compromise
- [SHA256] DarkGate loader and phishing attachments – 7257b4ccec0ceb27b6fb141ce12c8dfb8a401d3edfaeca12699561eccda5a23e, 7a92489050089498d6ec05fb7bdfad37da13bb965023d126c41789c5756e4e02, and 1 more hash