Threat researchers from eSentire’s TRU describe how DarkGate loader is used to deploy DanaBot, highlighting drive-by download delivery, a rich feature set, and advanced evasion techniques. The post also covers observed IOCs, attacker infrastructure, and remediation guidance for preventing information-stealers in Finance and Manufacturing sectors. #DarkGate #DanaBot #Kaseya
Keypoints
- DarkGate infections observed since Aug 2023 targeting Finance and Manufacturing sectors.
- Initial access via drive-by downloads disguised as fake installers and fake reports.
- DarkGate loader includes hVNC, credential stealing, crypto mining, rootkit, reverse proxy, keylogger, and more.
- Persistence achieved via Startup folder; decoy PDFs and multiple payload delivery stages.
- PPID spoofing and process hollowing/injection used to evade defenses; UAC bypass also employed.
- DanaBot appears to be deployed by the DarkGate loader in observed campaigns.
- Configuration and C2 data are split and encoded/compressed; C2 domains include whatup.cloud and others.
MITRE Techniques
- [T1189] Drive-by Compromise – Drive-by downloads disguised as fake installers and fake reports leading to initial access. “drive-by downloads disguised as fake installers, such as an Advanced IP scanner, as well as fake document reports.”
- [T1059.005] Visual Basic – LNK, VBS, and MSI delivery leading to execution of the AutoIt script. “The loader delivers in a format of LNK, VBS, and MSI, which leads to the execution of the AutoIt script.”
- [T1547.001] Boot or Logon Autostart Execution – Persistence via Startup folder to run the malicious AutoIt script. “initial infection … via the Startup folder to run the malicious AutoIt script dropped under the ProgramData folder”
- [T1055] Process Injection – DarkGate performs process hollowing for core and payloads into multiple processes (GoogleUpdate.exe, TabTip32.exe, BraveUpdate.exe, MicrosoftEdgeUpdate.exe, ielowutil.exe). If hollowing fails, it injects into cmd.exe and can spawn notepad.exe. “DarkGate performs process hollowing for the core and additional payloads into one of the processes”
- [T1055.012] PPID Spoofing – Deception by spoofing the Parent Process ID to appear legitimate. “PPID spoofing involves manipulating the parent process ID attribute of a newly created process. This is done to deceive security solutions”
- [T1021.005] VNC – hVNC capability enabling remote control and remote service-like actions. “hVNC capability”
- [T1027] Obfuscated/Compressed Files and Information – Use of custom base64 encoding and ZLIB compression to split config and C2 data. “custom base64-encoding … ZLIB-compressed”
- [T1036] Masquerading – Decoy documents used (IrsForm1340.pdf) to mislead the user. “the loader opens the decoy PDF file”
- [T1490] Inhibit System Recovery – Ability to delete shadow copies and manipulate browser data, potentially impacting protection and recovery. “delete shadow copies (provided the user has administrative rights)”
- [T1071.001] Web Protocols – C2 communications over web protocols with domains like whatup.cloud and dreamteamup.shop. “DarkGate C2” and associated domains/hosts
- [T1003] OS Credential Dumping – Information stealing and credential theft capabilities embedded in DarkGate. “credential stealing”
- [T1496] Resource Hijacking – Crypto mining as part of DarkGate capabilities. “crypto mining”
- [T1056.001] Keylogging – Keylogger functionality mentioned among DarkGate features. “keylogger”
Indicators of Compromise
- [Domain] Website hosting DarkGate payload – assetfinder.org
- [Domain] DarkGate C2 domains – whatup.cloud, dreamteamup.shop
- [File hash] kdvyeg.au3 – 296c88dda6b9864da68f0918a6a7280d
- [File hash] Decrypted DarkGate payload – 786486d57e52d2c59f99f841989bfc9d
- [File hash] DanaBot embedded hash – 32283E415C433DE356C9557DF0309441
- [Domain] DanaBot C2 domain(s) – 34.106.84.60:443, 35.241.250.23:443, 35.198.55.140:443, 34.79.119.253:443
- [Filename] IrsForm1340.pdf (decoy file) – d8b39e8d78386294e139286f27568dd6
Read more: https://www.esentire.com/blog/from-darkgate-to-danabot