Threat Research

Open the DARKGATE – Brute Forcing DARKGATE Encodings

admin

DARKGATE is a Windows-based backdoor that can steal browser information, drop additional payloads, and capture keystrokes, and it now uses a randomized base64 alphabet based on the victim’s hardware ID to encode on-disk configuration and keylogger outputs. A weakness in the seed-based shuffle makes the correct alphabet easy to brute force, enabling forensic decoding of the encoded files without needing the hardware ID, with a sample folder structure and a Python script provided. #DARKGATE #Windows

Keypoints

  • DARKGATE now randomizes the base64 alphabet used for encoding on-disk data based on victim hardware attributes.
  • A weakness in the seed randomness reduces the alphabet search space to about 1,248 possibilities, making brute-forcing practical.
  • Encoded files include the on-disk configuration and keylogger outputs, which can reveal domains, timestamps, and keystroke data.
  • The malware drops a randomly named folder under C:ProgramData containing encoded configuration, a loader script, and keylogger outputs.
  • Researchers provide Python tooling to brute-force alphabets and decode files, enabling forensic analysis without hardware ID discovery.

MITRE Techniques

  • [T1036] Masquerading – The malware uses a legitimate AutoIT executable to disguise its loader, as shown by ‘.ProgramDatahgehakbAutoit3.exe (Legitimate AutoIT executable)’.
  • [T1059] Command and Scripting Interpreter – The presence of a loader script and AutoIt usage indicate execution via a scripting interpreter, e.g., ‘abbhebe.au3’ (Loader script).
  • [T1056] Input Capture – The keylogger output files contain the keystrokes stolen by DARKGATE.
  • [T1132] Data Encoding – The on-disk configuration and keylogger outputs are encoded using a custom base64 alphabet.

Indicators of Compromise

  • [File] Autoit3.exe, abbhebe.au3, 08-12-2023.log, cffhbdd
  • [Directory] C:ProgramDatahgehakb
  • [Domain] GkPdpxZB35LtSI9HV0WXS8PtSIcjGmcX34WBSedf
  • [Port] 2351
  • [Timestamp] 1701885746
  • [HWID] GBGChDDffdHDedHHAAhBdbahEHAcHBaC
  • [Version] 5.2.3

Read more: https://www.kroll.com/en/insights/publications/cyber/brute-forcing-darkgate-encodings

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint