Researchers Shed Light on DarkGate Malware That Targeted Users from North America, Europe, and Asia

by
Krishi Chowdhary
from Techreport on (#6PA4H)
flyd-C5pXRFEjq3w-unsplash-1200x800.jpg
  • Researchers from Palo Alto Networks Unit 42, namely Vishwa Thothathri, Uday Pratap Singh, Yijie Sui, Anmol Maurya, and Brad Duncan, have shed light on the DarkGate malware campaign.
  • DarkGate has been available since 2018 as a malware-as-a-service (MaaS) model-and in March-April of this year, the malware was spread through Microsoft Excel files.
  • The most dangerous thing about this malware is it uses certain techniques, which make it hard to detect. Plus, it's constantly evolving and coming out with new methods to evade detection.

flyd-C5pXRFEjq3w-unsplash-300x200.jpg

A short-lived malware campaign, which distributed the DarkGate malware-as-a-service payload through the exploitation of Samba file shares, had hit Europe, North America, and certain parts of Asia between March and April this year.

Researchers from Palo Alto Networks Unit 42 have shed light on this incident. Security researchers Uday Pratap Singh, Vishwa Thothathri, Yijie Sui, Brad Duncan, and Anmol Maurya are the ones who made this discovery.

This was a relatively short-lived campaign that illustrates how threat actors can creatively abuse legitimate tools and services to distribute their malware."

About DarkGate

Written in Borland Delphi, DarkGate has been available since 2018 as a malware-as-a-service (MaaS) model. Simply put, this malware was available for purchase to other threat actors so that even those without coding or any technical skills could target their victims.

There were a number of ways to use DarkGate. Malicious actors could use it to launch reverse shells, mine cryptocurrency, execute codes, remotely control compromised hosts, or drop additional payloads.

Read more: FakeBat loader malware becomes #1 cyberthreat in 2024

About This Attack

The attack started in March 2024, first in North America and then spreading to Europe, Africa, and Asia. These attacks peaked on 9th April, where, in just one day, more than 2,000 samples were detected.

For this particular attack, the threat actors used Microsoft Excel files.

  • When a victim opened the .xlsx file, they were shown a template containing where the Open' button was linked to another object.
  • As soon as they clicked the button, the file redirected to that malicious web address, retrieved some files, and ran it on the victim's device.
  • The compromised URL (the one that was attached to the Open button) points to a Samba/SMB share that's publicly accessible and hosts a VBS file.
  • In some of the attacks, researchers have also found attackers distributing JavaScript files from Samba shares.
The worst bit is that these attacks were extremely difficult to detect. The malware scanned to see if there were any anti-malware programs present on the device. It also checked the CPU information. This helped it determine if it's running on a physical host or a virtual environment, which in turn allows it to hinder analysis.

On top of that, it checked the host's running processes and looked for the presence of reverse engineering tools, debuggers, or any virtualization software.

Last but not least, the researchers said, DarkGate C2 traffic uses unencrypted HTTP requests, but the data is obfuscated and appears as Base64-encoded text." This further helped it evade detection.

The post Researchers Shed Light on DarkGate Malware That Targeted Users from North America, Europe, and Asia appeared first on The Tech Report.

External Content
Source RSS or Atom Feed
Feed Location https://techreport.com/feed/
Feed Title Techreport
Feed Link https://techreport.com/
Reply 0 comments