Threat Research

Recent DarkGate Activity & Trends

ZScaler

DarkGate activity spiked in late September and early October 2023, with a notable surge in domain registrations and C2 transactions observed on October 10. Analysis shows the technology sector was most targeted and many DarkGate domains follow a 50–60 day lifespan pattern, suggesting systematic domain rotation. #DarkGate #Qakbot

Keypoints

  • DarkGate activity rose sharply in late September and peaked with a transaction spike on October 10, 2023.
  • ThreatLabz telemetry indicates the technology industry accounted for ~36.7% of observed DarkGate targets.
  • Many DarkGate command-and-control (C2) domains were registered and active for approximately 50–60 days, implying deliberate rotation.
  • Transactions were measured by counting infected host contacts to C2 servers via Zscaler cloud telemetry.
  • Zscaler Cloud Sandbox identified multiple DarkGate variants and downloaders (Win64/Win32, LNK, VBS, JS, AutoIt) and mapped MITRE ATT&CK techniques triggered during analysis.
  • Published IOCs include numerous file hashes, hundreds of C2 domains, and multiple IP addresses tied to the campaign.

MITRE Techniques

  • [T1566] Phishing – Used as the initial access vector. (‘Phishing’)
  • [T1204] User Execution – Malicious attachments and files rely on user interaction to run. (‘User Execution’)
  • [T1059] Command and Scripting Interpreter – Scripts and interpreters (JS, VBS, AutoIt) run code to download/execute payloads. (‘Command and Scripting Interpreter’)
  • [T1569] System Services – Malware leverages system services for execution and persistence. (‘System Services’)
  • [T1547] Boot or Logon Auto Start Execution – Persistence achieved via boot/logon mechanisms. (‘Boot or Logon Start Execution’)
  • [T1027] Obfuscated Files or Information – Files and scripts are obfuscated to evade detection. (‘Obfuscated Files or Information’)
  • [T1070.004] File Deletion – Malware removes evidence by deleting files. (‘File Deletion’)
  • [T1202] Indirect Command Execution – Uses intermediate files or loaders to indirectly execute malicious commands. (‘Indirect Command Execution’)
  • [T1564.001] Hidden Files and Directories – Employs hidden files/directories to conceal components. (‘Hidden Files and Directories’)
  • [T1140] Deobfuscate/Decode Files for Information – Samples are deobfuscated/decoded during analysis to reveal payloads. (‘Deobfuscate/Decode Files for Information’)
  • [T1555.003] Credentials from Web Browsers – Harvests credentials stored in web browsers. (‘Credentials from Web Browsers’)
  • [T1016] System Network Configuration Discovery – Discovers network configuration as part of reconnaissance. (‘System Network Configuration Discovery’)
  • [T1083] File and Directory Discovery – Enumerates files and directories for valuable targets. (‘File and Directory Discovery’)
  • [T1057] Process Discovery – Enumerates running processes to inform next actions. (‘Process Discovery’)
  • [T1082] System Information Discovery – Gathers system information for environment profiling. (‘System Information Discovery’)
  • [T1071] Application Layer Protocol – Uses application-layer protocols for C2 communications. (‘Application Layer Protocol’)

Indicators of Compromise

  • [File hashes] Malware and payload samples identified – examples: f242ce468771de8c7a23568a3b03a5e2 (DarkGate payload), a2fb0b0d34d71073cd037e872d40ea14 (malicious DLL), and 20+ more hashes.
  • [File names/types] Malicious delivery artifacts observed – examples: LNK file (7791017a97289669f5f598646ef6d517), VBS file (3df59010997ed2d70c5f7095498b3b3f), and other script/installer types (MSI, CAB, ZIP).
  • [Domains] Command-and-control domains associated with DarkGate – examples: luxury-event-rentals[.]com, drvidhya[.]in, and dozens more C2 domains.
  • [IP addresses] Infrastructure endpoints used for C2 and hosting – examples: 5.188.87.58, 45.144.28.244, and several other IPs observed.

ThreatLabz performed a technical distribution analysis by collecting hostnames, WHOIS/registration data, IP addresses, site content, and cloud telemetry to map DarkGate activity. Transaction counts were derived from Zscaler cloud logs by counting each infected host contact to known C2 servers; this revealed a pronounced transaction spike in late September and a major peak on October 10, 2023. The dataset showed a concentrated cluster of active domains with an age of roughly 50–60 days, indicating likely tactical domain creation and rotation to evade domain-based defenses.

Behavioral and static analysis in the Zscaler Cloud Sandbox identified multiple delivery chains and payload types—including downloaders and droppers (Win64.Downloader.DarkGate, Win32/Win64 trojans), LNK/VBS/JS artifacts, AutoIt scripts and loaders, MSI/CAB installers—and produced MITRE ATT&CK mappings for observed TTPs (phishing, user execution, scripting interpreters, persistence via boot/logon, discovery, credential theft, C2 over application-layer protocols, and several defense-evasion techniques such as obfuscation and file deletion). Analysts extracted many file hashes and compiled extensive C2 domain and IP lists to support detection and blocking.

Operationally, defenders should prioritize detection of phishing attachments and LNK/AutoIt/JS/VBS execution chains, monitor for the listed hashes, domains, and IPs, and implement controls to catch application-layer C2 traffic and obfuscated payloads. The 50–60 day domain lifespan pattern can inform threat hunting and automated domain-age-based blocking or monitoring approaches to disrupt this rotation strategy.

Read more: https://www.zscaler.com/blogs/security-research/recent-darkgate-activity-trends

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint