Threat Research

From DarkGate to AsyncRAT: Malware Detected and Shared As Unit 42 Timely Threat Intelligence

Securonix

Unit 42’s timely threat intelligence roundup for Oct–Dec 2023 surveys malware campaigns, infection chains, and IoCs shared via social channels. It highlights recurring families—DarkGate, Pikabot, IcedID, AsyncRAT, and JinxLoader—and TA577 activity, with practical Wireshark insights and GitHub IoCs. #DarkGate #TA577

Keypoints

  • The article summarizes Unit 42’s timely threat intelligence posts from October to December 2023, noting broad social engagement (1.6 million impressions across 93 posts in 2023).
  • Recurring malware families and groups are highlighted, including DarkGate, Pikabot, IcedID, AsyncRAT, JinxLoader, and TA577.
  • TA577 activity repeatedly pushes Pikabot and related tooling (e.g., Cobalt Strike) across multiple campaigns.
  • Common infection chains involve phishing-like vectors (email or Microsoft Teams invites), password-protected archives, and loader via Windows shortcuts/PowerShell.
  • Notable exploits observed include WS_FTP vulnerability exploitation and Citrix NetScaler CVE-2023-3519, plus related PowerShell/Certutil techniques.
  • The roundup emphasizes sharing IoCs publicly (GitHub) and via social channels (X/LinkedIn) to accelerate defense; contact Unit 42 IR if compromised.

MITRE Techniques

  • [T1566.003] Phishing via Service – The attacker posed as the target organization’s CEO and sent victims a Teams invite. The message sent contains a password-protected .zip archive. ‘The attacker posed as the target organization’s CEO and sent victims a Teams invite. The message sent contains a password-protected .zip archive.’
  • [T1059.001] PowerShell – PowerShell commands from shortcut used during the DarkGate infection chain. ‘PowerShell commands from shortcut’
  • [T1105] Ingress Tool Transfer – Payload retrieved over HTTP as an encoded binary. ‘HTTP traffic for encoded binary’
  • [T1027] Obfuscated/Compressed Files and Information – XOR-encoded executable used in the infection chain. ‘XOR-encoded EXE’
  • [T1071.001] Web Protocols – C2 communications over HTTPS during Pikabot/Cobalt Strike activity. ‘HTTPS C2 traffic’
  • [T1190] Exploit Public-Facing Application – WS_FTP exploitation delivering a Meterpreter payload. ‘WS_FTP Exploitation – RCE under the w3wp.exe process > Obfuscated PowerShell Loads shellcode > Certutil Command > Meterpreter Payload’

Indicators of Compromise

  • [IP Address] infection/C2 endpoints – 179.60.149.244:443, 45.155.249.171:443, and 2 more items
  • [Domain] campaign infrastructure – zzerxc[.]com, ponturded[.]com, and 2 more items
  • [File] delivery artifacts – password-protected .zip archive, PDF attachments spoofing DocuSign

Read more: https://unit42.paloaltonetworks.com/unit42-threat-intelligence-roundup/