Threat Research

The Gatekeeper’s Secrets: DarkGate Malware Analysis

Esentire

DarkGate is a modular loader that re-emerges via phishing PDFs, zip archives, and other lures to drop and run additional malware, including Danabot and SocGholish, while employing obfuscated AutoIt scripts and XOR-encrypted payloads to evade defenses. The analysis details a multi-stage infection chain, in-memory shellcode techniques, and process-injection methods, plus AV/detection Evasion and evolving delivery methods. #DarkGate #Danabot #SocGholish #AutoIt #CVE-2024-21412 #persikmonkiey7drone.com

Keypoints

  • DarkGate acts as a commodity loader used across multiple campaigns since 2018, delivered via PDFs, ZIPs, and chat/messaging vectors (e.g., Microsoft Teams, Skype) and linked to various payloads over time.
  • The initial infection chain starts with a malicious email masquerading as an invoice, leading to a PDF attachment and a deceptive Chrome error page that points to a ZIP archive containing an Internet Shortcut file.
  • Extracted ZIP downloads reveal a disguised AutoIt-based downloader (script.a3x) and an AutoIt3.exe component used to fetch additional payloads, including a shellcode-based final PE file.
  • DarkGate uses obfuscated/encoded components (XOR-encrypted sections in the A3X file) and a decryption routine to assemble the final payload for execution.
  • Payload execution involves sophisticated code injection into a suspended MicrosoftEdgeUpdateCore.exe process via WriteProcessMemory and ResumeThread, followed by Windows API callback techniques to run shellcode.
  • AV/defense evasion includes scanning for antivirus products, process injection, and potential fallback actions (e.g., BSOD) to cover tracks and persist.
  • Newer variants have shifted delivery from AutoIt to AutoHotKey, with multiple references in later reports, indicating ongoing evolution of the Gatekeeper’s Secrets campaign.

MITRE Techniques

  • [T1592.002] Gather Victim Host Information – Brief description of how it was used. Quote: “DarkGate identifies a large variety of anti-virus programs on the host”
  • [T1566.001] Phishing: Spearphishing Attachment – Brief description of how it was used. Quote: “Phishing: Spearphishing Attachment”
  • [T1204.002] User Execution: Malicious File – Brief description of how it was used. Quote: “User Execution: Malicious File”
  • [T1055] Process Injection – Brief description of how it was used. Quote: “DarkGate performs process injection using an AutoIT script, which utilizes the EnumWindows API (Callback code execution).”
  • [T1055.012] Process Injection: API Callback – Brief description of how it was used. Quote: “API callback injection is a technique where a callback function is registered with a Windows API function… enabling an attacker to gain unauthorized access or perform malicious actions.”
  • [T1027.013] Obfuscated Files or Information: Encrypted/Encoded File – Brief description of how it was used. Quote: “Darkgate has an XOR encrypted section within the AutoIT file which is used to retrieve the final payload”

Indicators of Compromise

  • [URL] monitor.clickcease.com – C2/redirect mechanism used in initial download sequence to track clicks and route to the actual destination
  • [URL] otiunmonisky2m.com – redirect destination in the download flow
  • [Domain] persikmonkiey7drone.com – DarkGate C2 domain
  • [Hash] 0bb063d129162e8c93830fdbcf2ba416 – reader_update.zip
  • [Hash] a74ae422391a22b5469135ae7f0cbf7d – reader_update.exe
  • [Hash] 5e1c16a9508e87147b85e368b2463e8f – mal.bin (Initial Shellcode Loaded in Memory)
  • [Hash] 28a242ae3e8c8a6d1b0ee0c59c1c9aa3 – mal.bin_extracted (PE File Carved from Shellcode)
  • [Hash] d6adba203537023a2ae4f582d0b5e1b9 – mal_encrypted.bin (XOR Encrypted Portion in A3X File)
  • [Hash] a825b1fec71bd128c16c05fbb763bc04 – mal_dropped.bin (XOR Decrypted version of mal_encrypted.bin with fixed MZ header)
  • [URL] 64.52.80.82/Autoit3.exe – URL used to fetch AutoIt3.exe component
  • [URL] 64.52.80.82/script.a3x – URL used to fetch the obfuscated AutoIT script
  • [URL] 64.52.80.82/test.txt – URL used to fetch test.txt (data source for script)
  • [URL] 193.178.210.226/documents/reader_update.zip – reader_update.zip payload delivery
  • [URL] 193.178.210.226/documents/reader_update.zip/reader_update.exe – reader_update.exe payload

Read more: https://www.esentire.com/blog/the-gatekeepers-secrets-darkgate-malware-analysis

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint