Two recent campaigns show DarkGate Loader being spread via phishing emails, using MSI and VBScript payloads to eventually deliver the DarkGate malware, with automated analysis identifying the actor behind it and the MaaS-style affiliate model. The campaign combines in-file decryption, memory-resident shellcode, robust C2 capabilities, and back-end panel tools that affiliates use to manage operations. #DarkGate #DarkGateLoader #RastaFarEye #Emotet
Keypoints
- DarkGate Loader campaigns are distributed through phishing messages that lure victims via a link to download an MSI installer or a Visual Basic script.
- The MSI variant is self-contained, embedding AutoIt payloads inside the installer; the VBScript variant downloads AutoIt components using curl.
- The infection chain relies on a shellcode-based PE payload decoded from base64 strings and executed in memory after decryption.
- Researchers observed robust anti-analysis, anti-VM, and anti-debug capabilities, plus extensive defense-evasion and persistence features.
- DarkGate’s operator, known as RastaFarEye, markets the malware via cybercrime forums with MaaS-style access and limited affiliate slots.
- The campaign includes aDarkGate backend panel for configuration, a “LNK exploit builder,” and a wealth of C2 capabilities including information gathering, stealing, and remote control.
- IOC highlights include multiple DarkGate C2 servers (IP addresses and domains) and a known sample hash 6e068b9dcd8df03fd6456faeb4293c036b91a130a18f86a945c8964a576c1c70.
MITRE Techniques
- [T1566.001] Phishing –
The malspam campaign used stolen email threads to lure victim users into clicking the contained hyperlink. (‘…phishing emails. The malspam campaign used stolen email threads to lure victim users into clicking the contained hyperlink…’) - [T1218] Signed Binary Proxy Execution –
MSI variant appears to be generated by the MSI Wrapper and wrapped using MSI Wrapper from www.exemsi.com. (‘Application Verifier x64 External Package – UNREGISTERED – Wrapped using MSI Wrapper from www.exemsi.com’) - [T1027] Obfuscated/Compressed Files and Information –
The VBS sample contains garbage functions and obfuscated strings; deobfuscation reveals the infection logic. (‘The script, which is obfuscated and contains decoy/junk code…’) - [T1059.005] Command and Scripting Interpreter: Visual Basic –
The initial payload was delivered as a Visual Basic script and uses curl to fetch components. (‘…delivered as a Visual Basic script. The script will spawn a cmd.exe shell using ShellExecute and use the curl binary… to download an AutoIt executable and a corresponding AutoIt script.’) - [T1105] Ingress Tool Transfer –
The VBScript variant downloads AutoIt components from attacker-controlled servers. (‘curl… to download an AutoIt executable and a corresponding AutoIt script.’) - [T1059.003] Windows Command Shell –
The VBScript spawns a cmd.exe shell to execute commands. (‘spawn a cmd.exe shell using ShellExecute…’) - [T1132.001] Data Encoding: Base64 –
Base64 strings with two alphabets are used to decrypt the final payload; decoding relies on XOR and NOT. (‘base64 strings that are separated with a | character… second/third strings… final payload’) - [T1547.001] Registry Run Keys/Startup Folder –
Startup persistence is configured to persist across reboots. (‘startup_persistence – true’) - [T1055.012] Process Injection: Shellcode –
Shellcode decoded to binary and executed in memory; memory protections adjusted with VirtualProtect. (‘…shellcode… to make the newly allocated memory area executable with VirtualProtect and call the shellcode…’) - [T1082] System Information Discovery –
Malware collects OS information, user details, and running processes for C2 reporting. (‘Discovery… information about the operating system, the logged on user, the currently running programs…’) - [T1003] Credential Dumping: Credentials in Web Browsers –
Credential Access targets browsers and other apps using Nirsoft tools. (‘The malware contains multiple functions to steal passwords, cookies or other confidential data… Notably, the malware uses multiple legitimate freeware tools published by Nirsoft to extract confidential data.’)
Indicators of Compromise
- [IP] C2 servers – 149.248.0.82, 179.60.149.3, and 6 more IPs listed (observed as DarkGate C2 infrastructure)
- [Domain] C2/attack domains – a-1bcdn.com, avayacloud.com.global.prod.fastly.net, drkgatevservicceoffice.net, intranet.mcasavaya.com, onlysportsfitnessam.com, reactervnamnat.com, sanibroadbandcommunicton.duckdns.org, xfirecovery.pro
- [SHA256] Analyzed sample – 6e068b9dcd8df03fd6456faeb4293c036b91a130a18f86a945c8964a576c1c70
Read more: https://github.security.telekom.com/2023/08/darkgate-loader.html