Threat Research

[Guest Diary] Dissecting DarkGate: Modular Malware Delivery and Persistence as a Service.

Securonix

DarkGate is a modular, MaaS-style loader that begins with a phishing PDF leading to a signed MSI, employing layered obfuscation and certificate abuse to bypass detection. It deploys a tampered DLL/CAB chain, decrypts and executes an AutoIt-based final stage that contacts a C2 domain for remote access. #DarkGate #MaaS #AutoIt #iTunesHelper #CoreFoundation #SQLite3 #prodomainnameeforappru.com #46.21.157.142

Keypoints

  • The initial infection chain starts with a phishing PDF promising to fix a fake load error, leading to an MSI download.
  • The MSI is signed with a valid certificate to bypass reputation checks, reducing static-detection signals.
  • Embedded Cabinet and DLL components in the MSI are used to sideload and load a tampered CoreFoundation.dll via a legitimate iTunesHelper.exe path.
  • The CoreFoundation.dll references a buried sqlite3.dll which is XOR-encrypted and subsequently decrypted to reveal an AutoIt-based final stage.
  • The AutoIt script builds and executes shellcode in memory, checks for Sophos products, and uses VirtualProtect/EnumWindows for in-memory execution.
  • The final stage beacon resolves to a C2 host at prodomainnameeforappru[.]com (46.21.157.142) and maps to a new VBC.exe process for execution.

MITRE Techniques

  • [T1566.001] Spearphishing Attachment – The initial PDF lures the user and the ‘Open’ button points to a wrapped doubleclick[.]net AD URL, which when followed arrives at hxxp[://]95[.]164[.]63[.]54/documents/build-x64[.]zip/build-x64[.]msi. …translated quote in English… The ‘Open’ button points to a wrapped doubleclick[.]net AD URL … which when followed arrives at hxxp[://]95[.]164[.]63[.]54/documents/build-x64[.]zip/build-x64[.]msi
  • [T1204.002] User Execution – Malicious File – The MSI is downloaded and then run by the user, initiating the infection chain. …translated quote in English… assuming the unsuspecting user proceeds to run the MSI after download.
  • [T1116] Code Signing – The MSI has a valid digital signature from a certificate issued to a named company, bypassing trust checks. …translated quote in English… it has a valid digital signature from a genuine certificate issued to “Inoellact EloubantTech Optimization Information Co., Ltd.” from GlobalSign
  • [T1574.001] DLL Search Order Hijacking – Windows searches for and loads DLLs; iTunesHelper.exe loads CoreFoundation.dll due to the search order. …translated quote in English… Windows searches for and loads DLLs … the iTunesHelper application will load any DLL named “CoreFoundation”.
  • [T1027] Obfuscated/Compressed Files and Information – The sqlite3.dll is XOR-encrypted and obfuscated, requiring decryption to reveal executable content. …translated quote in English… the AutoIt compiled script obfuscated using character substitution …
  • [T1059.007] AutoIt – The final stage uses an AutoIt compiled script to drop and execute components and build shellcode. …translated quote in English… AutoIt compiled script
  • [T1497] Virtualization/Sandbox Evasion – The code checks for security software (e.g., Sophos) and changes behavior to evade analysis. …translated quote in English… checks if any Sophos products are installed, and will switch execution flows if this check fails.
  • [T1071.001] Web Protocols – The final stage beacons to a C2 domain, facilitating remote access. …translated quote in English… the domain prodomainnameeforappru[.]com (46.21.157.142)

Indicators of Compromise

  • [SHA-256] 693ff5db0a085db5094bb96cd4c0ce1d1d3fdc2fbf6b92c32836f3e61a089e7a, 599ab65935afd40c3bc7f1734cbb8f3c8c7b4b16333b994472f34585ebebe882, and 2 more hashes
  • [C2 Domain/IP] prodomainnameeforappru[.]com, 46.21.157.142:443

Read more: https://isc.sans.edu/diary/rss/30700