Analytics Story: DarkGate Malware

Date: 2023-10-31 ID: a4727b27-9e68-48f0-94a2-253cfb30c15d Author: Michael Haag, Splunk Product: Splunk Enterprise Security

Description

Telekom Security CTI has uncovered a new phishing-driven malware campaign distributing DarkGate malware. This campaign utilizes stolen email threads to trick users into downloading malicious payloads via hyperlinks. An initial false link to Emotet stirred the security community, but deeper analysis confirmed its true identity as DarkGate, with characteristics like AutoIt scripts and a known command-and-control protocol. This report by Fabian Marquardt details the intricate infection mechanisms, including MSI and VBS file deliveries, sophisticated evasion techniques, and a robust configuration extraction method surpassing current standards. The single developer behind DarkGate, active on cybercrime forums, has shifted the malware's use from private to a rent-out model, implying an expected rise in its deployment. Researchers have also developed a decryption technique for the DarkGate malware, which aids in static analysis and detection, though it requires careful validation to avoid false positives.

Why it matters

Telekom Security CTi has recently put a spotlight on the proliferation of DarkGate malware via a sophisticated malspam campaign, initially mistaken for the notorious Emotet malware. The campaign smartly manipulates stolen email conversations, embedding hyperlinks that, once clicked, activate a malware download. Fabian Marquardt's analysis traces the infection's footprint, revealing a dual delivery mechanism through MSI and VBS files. These files, cloaked in legitimate wrappers or obscured with junk code, ultimately download the malware via embedded scripts. Marquardt delves into the AutoIt script-based infection, uncovering the calculated use of compiled scripts and base64-encoded data to disguise the execution of malicious shellcode. The subsequent stages of infection exhibit the malware's capability to evade detection, leveraging memory allocation techniques to bypass security measures. Marquardt also explores the loader's function, which decrypts further malicious payloads by interacting with the script's encoded components. The analytical narrative captures a cross-section of the cybersecurity landscape, reflecting the shift in DarkGate's operational strategy from exclusive use by the developer to a broader dissemination through a Malware-as-a-Service (MaaS) model. This transition suggests an anticipated escalation in DarkGate-related attacks. Significantly, the report contributes to cybersecurity defenses by outlining a more effective method for extracting malware configurations, providing the community with the means to anticipate and mitigate the evolving threats posed by this pernicious malware. With the insights gained, researchers and security professionals are better equipped to adapt their strategies, constructing more robust defenses against the sophisticated tactics employed by DarkGate and similar malware strains.

Detections

Name ▲▼ Technique ▲▼ Type ▲▼
CMD Carry Out String Command Parameter Windows Command Shell, Command and Scripting Interpreter Hunting
Cmdline Tool Not Executed In CMD Shell Command and Scripting Interpreter, JavaScript TTP
Create local admin accounts using net exe Local Account, Create Account TTP
Create or delete windows shares using net exe Indicator Removal, Network Share Connection Removal TTP
Delete ShadowCopy With PowerShell Inhibit System Recovery TTP
Deleting Of Net Users Account Access Removal TTP
Deleting Shadow Copies Inhibit System Recovery TTP
Detect PsExec With accepteula Flag Remote Services, SMB/Windows Admin Shares TTP
Detect Regasm Spawning a Process System Binary Proxy Execution, Regsvcs/Regasm TTP
Detect Renamed PSExec System Services, Service Execution Hunting
Executables Or Script Creation In Suspicious Path Masquerading Anomaly
Execution of File with Multiple Extensions Masquerading, Rename System Utilities TTP
Non Chrome Process Accessing Chrome Default Dir Credentials from Password Stores, Credentials from Web Browsers Anomaly
Non Firefox Process Access Firefox Profile Dir Credentials from Password Stores, Credentials from Web Browsers Anomaly
PowerShell 4104 Hunting Command and Scripting Interpreter, PowerShell Hunting
Powershell Remote Services Add TrustedHost Windows Remote Management, Remote Services TTP
Registry Keys Used For Persistence Registry Run Keys / Startup Folder, Boot or Logon Autostart Execution TTP
Set Default PowerShell Execution Policy To Unrestricted or Bypass Command and Scripting Interpreter, PowerShell TTP
Suspicious Process File Path Create or Modify System Process TTP
System Processes Run From Unexpected Locations Masquerading, Rename System Utilities Anomaly
Windows Access Token Manipulation SeDebugPrivilege Create Process with Token, Access Token Manipulation Anomaly
Windows Archive Collected Data via Rar Archive via Utility, Archive Collected Data Anomaly
Windows AutoIt3 Execution Command and Scripting Interpreter TTP
Windows CAB File on Disk Spearphishing Attachment Anomaly
Windows Credentials from Password Stores Chrome Extension Access Query Registry Anomaly
Windows Credentials from Password Stores Chrome LocalState Access Query Registry Anomaly
Windows Credentials from Password Stores Chrome Login Data Access Query Registry Anomaly
Windows Credentials from Password Stores Creation Credentials from Password Stores TTP
Windows Credentials from Password Stores Deletion Credentials from Password Stores TTP
Windows Credentials from Password Stores Query Credentials from Password Stores Anomaly
Windows Debugger Tool Execution Masquerading Hunting
Windows Indicator Removal Via Rmdir Indicator Removal Anomaly
Windows Modify Registry AuthenticationLevelOverride Modify Registry Anomaly
Windows Modify Registry DisableRemoteDesktopAntiAlias Modify Registry TTP
Windows Modify Registry DisableSecuritySettings Modify Registry TTP
Windows Modify Registry DontShowUI Modify Registry TTP
Windows Modify Registry ProxyEnable Modify Registry Anomaly
Windows Modify Registry ProxyServer Modify Registry Anomaly
Windows MSIExec Spawn WinDBG Msiexec TTP
Windows System Reboot CommandLine System Shutdown/Reboot Anomaly
Windows System Shutdown CommandLine System Shutdown/Reboot Anomaly
Windows Unsigned DLL Side-Loading In Same Process Path DLL Side-Loading, Hijack Execution Flow TTP
Windows WinDBG Spawning AutoIt3 Command and Scripting Interpreter TTP

Data Sources

Name ▲▼ Platform ▲▼ Sourcetype ▲▼ Source ▲▼
CrowdStrike ProcessRollup2 N/A crowdstrike:events:sensor crowdstrike
Powershell Script Block Logging 4104 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-PowerShell/Operational
Sysmon EventID 1 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 11 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 12 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 13 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 7 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Windows Event Log Security 4663 Windows icon Windows xmlwineventlog XmlWinEventLog:Security
Windows Event Log Security 4688 Windows icon Windows xmlwineventlog XmlWinEventLog:Security
Windows Event Log Security 4703 Windows icon Windows xmlwineventlog XmlWinEventLog:Security

References

Source: GitHub | Version: 1