Overview

In 2018, security researcher Adi Zeligson discovered the DarkGate malware spreading through fake video torrent files. Though weaponization, delivery, and exploitation changes frequently, installation has remained fairly the same. A Microsoft Software Installer (MSI) file or Visual Basic Script (VBS) will instantiate an AutoIT script and AutoIT interpreter. The AutoIT script then allocates memory to shellcode binary found within a text file. The shellcode then searches for an executable, decrypts the DarkGate binary file, then injects the decrypted binary into the executable using process hollowing. However, if the Kaspersky AV is detected the shellcode will load and execute the binary directly instead of using the process hollowing technique.

Darkgate is written in Borland Delphi and is broadly considered loader malware, but also possesses a variety of features like process injection, information stealing, execution of shell commands, cryptoming, and keylogging. It has been marketed as Malware as a Service (MaaS) on Russian-speaking cyber crime forums since 2018. Typically, an AutoIT script and AutoIT3.exe interpreter are downloaded to disk. The interpreter executes the AutoIT script which allocates memory to shellcode and executes it. This shellcode constructs the DarkGate executor as a PE file in memory and passes control to it where it will load the AutoIT script into memory, locate an blob, and decrypt it. This results in a PE file with an import table that is dynamically resolved.

Delivery

MSI vs. VBS

Typically, a VBS script downloads a Windows batch script from the C2, creating a directory in the “C:\” drive, named with random characters . The script then renames and copies the curl.exe utility into the new folder. Using the renamed curl.exe the batch script downloads the AutoIT3.exe interpreter and an AutoIT script. Alternatively, the MSI file comes with a Windows Cabinet archive containing the AutoIT payloads. Researchers have also observed variations of DarkGate delivery options. These include Excel DotNet for Applications (DNA), VBS downloaders, and Microsoft LNK shortcut downloaders. These abuse the trust relationship between a LNK file and content downloaded from the internet. This latter option would likely inspire the pivot into implementing internet shortcut links.

Persistence

DarkGate establishes persistency by installing a key in “\SOFTWARE\Microsoft\Windows\CurrentVersion\Run”, using the first eight digits of a user-generated-id for the key name and the name of the AutoIT script as the value. Additionally, DarkGate searches for security tools such as MalwareBytes, Adwcleaner, or Farbar Recovery Scan Tool to reallocate any files that may have been deleted by AV solutions.

Capabilities

Cryptomining

If the cryptomining option is enabled the first connection made to the C2 will retrieve the configuration file which is needed to begin the process. The DarkGate C2 server will respond by sending the “startminer” command in cleartext to initiate the cryptomining. Using process hollowing, DarkGate will establish the mining through the “systeminfo.exe” process.

Crypto Wallet Theft

The DarkGate malware can steal credentials for a variety of crypto-wallets by searching for the following strings in the names of foregrounded windows:

• sign-in / hitbtc • binance – login • litebit.eu – login • binance – iniciar sesi • cryptopia – login • user login – zb spot exchange • sign in | coinEx • electrum • bittrex.com – input • exchange – balances • eth) – log in • blockchain wallet • bitcoin core • kucoin • metamask • factores-Binance • litecoin core • myether

Keylogging

DarkGate starts a thread responsible for logging key strokes, and foreground windows and clipboard contents. This data is saved to a file in “C:\users\ %USERNAME%\appdata\roaming\%CURRNETDATE%.log”

Information Stealing

DarkGate implements a variety of applications to steal credentials, browser cookies, browser history, and Skype chats. Using process hollowing, DarkGate will establish one or more of these tools into instances of vbc.exe or regasm.exe. The data is then extracted from memory of the hollowed process.

In June 2023, the creator of DarkGate elaborated on available features such as hidden VNC, Windows Defender exclusion, browser history and Discord token stealer, reverse proxy, and file manager.

C2

The initial version of DarkGate contained 6 hardcoded domain names to be used for C2 communications. Many of the domains incorporate variations of “amazon” or “akamai” to add a layer of deception to the NS record.

Evasion

Anti-VM Resource Check

DarkGate will check if the local environment possesses less than 101 GB of disk space, or less than or equal to 4GB or RAM.

Anti-AV

Darkgate will check for the presence of the following AV process names. • astui.exe • avpui.exe • avgui.exe • egui.exe • bdagent • avguard.exe • nis.exe • ns.exe • nortonsecurity.exe • uiseagnt.exe • bytefence.exe • psuaconsole.exe • sdscan.ex • mcshield.exe • mcuicnt.exe • mpcmdrun.exe • superantispyware.exe • vkise.exe • mbam.exe • cis.exe • msascuil.exe

Direct Syscall Invocation

DarkGate malware bypasses ntlDll.dll used to invoke KiFastSystemCall which allows it to switch between ring3 and ring0 kernel mode. It does this by passing the ntldll requested function syscall number and parameters to an address in “wow64cpu.dll” which jumps to the 64-bit “KiFastSystemCall” function.

Anti-analysis

Darkgate possesses the following anti-analysis mechanisms • Checks for known characteristics of virtual machines • Checks for known characteristics of sandbox software • Searches for processes belonging to various AV solutions • Disk space and memory checks? (Can be set to run with minimum disk or memory size).

DLL Sideloading

DarkGate v5 implemented the use DLL side-loading. In this version, the MSI payload contains a trojanized DLL implemented by the signed KeyScrambler executable which extracts and injects the malicious shellcode.

Infection Vectors

Skype

Using a compromised Skype account, a threat actor hijacked a messaging thread, allowing them to pose as one of the victims and send a message with PDF attachment containing a VBS script. Once the VBS script was executed it created a new folder, named with a random char string. It then copied curl.exe to this directory, naming it with the same random string. It then used the copy of curl.exe to download and execute the AutoIT script and interpreter.

Microsoft Teams

A threat actor used two compromised Microsoft Teams accounts to send phishing messages. These messages tricked victims into downloading and opening a malicious ZIP file. The archive contains an LNK file supposedly pointing to a PDF. Instead, the victim downloads and executes a VBS script which downloads the DarkGate AutoIT Script and interpreter. The script executes shellcode that downloads and assembles the Darkgate malware, byte by byte.

LinkedIn

The WithSecure Detection and Response Team detected a DarkGate infection campaign linked to a Vietnamese threat actor closely associated with a DuckTail malware campaign. The infection chain started when a victim clicked a link in a LinkedIn message. This action redirected them to a ZIP file hosted on Google Drive. This archive was downloaded and extracted which contained a VBS script. When executed the VBS script copied the Windows executable curl.exe to a new location and renamed it. This was then used to curl two files: an AutoIT script and AutoIT3.exe interpreter which de-obfuscates and assembles the DarkGate payload contained within the script.

The report explains that metadata within the LNK file, PDF, and DOCX files links this threat actor to a larger campaign. Other data within the files uploaded to VirusTotal connects them to a variety of malware distribution out of Vietnam.

CVE-2021-26855

In September of 2023, researchers with Cofense observed DarkGate operators using an infection chain that began with “hijacked” email thread which may have been obtained through Microsoft ProxyLogon attacks (CVE-2021-26855). The phishing email contained a link which was likely created by a Traffic Distribution System (TDS). When the URL is clicked, the victim is filtered based on geolocation and internet browser. The TDS then redirects the victim to a MSI installer. The MSI file extracts an AutoIT script, AutoIT3.exe interpreter, shellcode and the DarkGate malware. This script injects shellcode that assembles the DarkGate payload.

Alternatively, another campaign using the hijacked email thread tactic downloaded a ZIP archive containing a JavaScript file and a JavaScript application which downloads and executes the DarkGate malware.

CVE-2023-36025

In the summer of 2023, researchers from ProofPoint observed Darknet operators exploiting CVE-2023-36025, bypassing the Windows Defender SmartScreen feature which prevents the user from visiting malicious sites when a internet shortcut (.URL) file points to a SMB or WebDAV server share. Once the .URL link is clicked, a Traffic Distribution Systems (TDS) is used to redirect victims to a malicious site hosting another internet shortcut files. TDSs are traffic brokers that intercept incoming traffic, filter it based on predefined criteria, and then redirect the victim to a malicious site. In this case the internet shortcut file or (.URL) links to a compressed VBS script which downloads several shell commands, an AutoIT script and AutoIT interpreter, and the eventual DarkGate malware. Proofpoint refers to this specific cluster of Darkgate as Battle Royal and is tracked by the GroupID configuration settings “PLEX”, “ADS5”, “user_871236672” and “usr_871663321”.

CVE-2024-21412

The infection chain begins with a phishing email containing a PDF whose content does not properly display to the user. Instead, the user is instructed to download an update to properly display the PDF content. Once the “Download” button is clicked the victim is redirected to a compromised web server. This is done by implementing Google DoubleClick Digital Marketing (DDM) open redirect, an ad technology typically used by advertisers to supply content based on user search queries. The Windows feature Mark-of-theWeb (MotW) flags content downloaded from the internet and warns the user of the risk of opening or executing the document. However, the Darkgate operators bypassed this protection by exploiting the trust Windows gives to Google DDM domains (CVE-2024-21412).

The compromised webserver contains a .URL internet shortcut file that exploits CVE-2023-36025, leading the victim to a malicious WebDAV server controlled by the attacker, where a fake .MSI NVIDIA installer package, is hosted. The .MSI file includes a zip archive that sideloads a malicious DLL responsible for the installation process and an AutoIT script used to decrypt, load, and execute the DarkGate payload.

Related Families

Researchers at Fortinet have discovered relationships behavioral similarities and code overlap with the infostealer Golroted.

MITRE ATT&CK TTPs

Further Reading

https://www.fortinet.com/blog/threat-research/enter-the-darkgate-new-cryptocurrency-mining-and-ransomware-campaign
https://www.trendmicro.com/en_us/research/23/j/darkgate-opens-organizations-for-attack-via-skype-teams.html
https://www.truesec.com/hub/blog/darkgate-loader-delivered-via-teams
https://securelist.com/emotet-darkgate-lokibot-crimeware-report/110286/
https://github.security.telekom.com/2023/08/darkgate-loader.html
https://www.techrepublic.com/article/darkgate-loader-malware-microsoft-teams/
https://labs.withsecure.com/publications/darkgate-malware-campaign
https://cofense.com/blog/are-darkgate-and-pikabot-the-new-qakbot/
https://www.trellix.com/blogs/research/the-continued-evolution-of-the-darkgate-malware-as-a-service/
https://www.proofpoint.com/us/blog/threat-insight/battleroyal-darkgate-cluster-spreads-email-and-fake-browser-updates
https://www.trendmicro.com/en_us/research/24/c/cve-2024-21412–darkgate-operators-exploit-microsoft-windows-sma.html