GitHub Repo

Analytics Story: DarkGate Malware

Updated Date: 2026-05-13 ID: a4727b27-9e68-48f0-94a2-253cfb30c15d Author: Michael Haag, Splunk Product: Splunk Enterprise Security

Description

Telekom Security CTI has uncovered a new phishing-driven malware campaign distributing DarkGate malware. This campaign utilizes stolen email threads to trick users into downloading malicious payloads via hyperlinks. An initial false link to Emotet stirred the security community, but deeper analysis confirmed its true identity as DarkGate, with characteristics like AutoIt scripts and a known command-and-control protocol. This report by Fabian Marquardt details the intricate infection mechanisms, including MSI and VBS file deliveries, sophisticated evasion techniques, and a robust configuration extraction method surpassing current standards. The single developer behind DarkGate, active on cybercrime forums, has shifted the malware's use from private to a rent-out model, implying an expected rise in its deployment. Researchers have also developed a decryption technique for the DarkGate malware, which aids in static analysis and detection, though it requires careful validation to avoid false positives.

Why it matters

Telekom Security CTi has recently put a spotlight on the proliferation of DarkGate malware via a sophisticated malspam campaign, initially mistaken for the notorious Emotet malware. The campaign smartly manipulates stolen email conversations, embedding hyperlinks that, once clicked, activate a malware download. Fabian Marquardt's analysis traces the infection's footprint, revealing a dual delivery mechanism through MSI and VBS files. These files, cloaked in legitimate wrappers or obscured with junk code, ultimately download the malware via embedded scripts. Marquardt delves into the AutoIt script-based infection, uncovering the calculated use of compiled scripts and base64-encoded data to disguise the execution of malicious shellcode. The subsequent stages of infection exhibit the malware's capability to evade detection, leveraging memory allocation techniques to bypass security measures. Marquardt also explores the loader's function, which decrypts further malicious payloads by interacting with the script's encoded components. The analytical narrative captures a cross-section of the cybersecurity landscape, reflecting the shift in DarkGate's operational strategy from exclusive use by the developer to a broader dissemination through a Malware-as-a-Service (MaaS) model. This transition suggests an anticipated escalation in DarkGate-related attacks. Significantly, the report contributes to cybersecurity defenses by outlining a more effective method for extracting malware configurations, providing the community with the means to anticipate and mitigate the evolving threats posed by this pernicious malware. With the insights gained, researchers and security professionals are better equipped to adapt their strategies, constructing more robust defenses against the sophisticated tactics employed by DarkGate and similar malware strains.

Detections

Name ▲▼ Technique ▲▼ Type ▲▼
Windows Modify Registry DisableRemoteDesktopAntiAlias Modify Registry TTP
Windows Modify Registry ProxyServer Modify Registry Anomaly
Windows WinDBG Spawning AutoIt3 Command and Scripting Interpreter TTP
Deleting Shadow Copies Inhibit System Recovery TTP
Windows Indicator Removal Via Rmdir Indicator Removal Anomaly
Executables Or Script Creation In Temp Path Masquerading Anomaly
Windows MSIExec Spawn WinDBG Msiexec TTP
System Processes Run From Unexpected Locations Rename Legitimate Utilities Anomaly
Windows Modify Registry AuthenticationLevelOverride Modify Registry Anomaly
Windows Unsigned DLL Side-Loading In Same Process Path DLL TTP
Windows System Reboot CommandLine System Shutdown/Reboot Hunting
Non Firefox Process Access Firefox Profile Dir Credentials from Web Browsers Anomaly
Windows Cmdline Tool Execution From Non-Shell Process JavaScript Anomaly
Registry Keys Used For Persistence Registry Run Keys / Startup Folder TTP
Delete ShadowCopy With PowerShell Inhibit System Recovery TTP
Windows Suspicious Process File Path Match Legitimate Resource Name or Location, Create or Modify System Process TTP
Windows Credentials from Password Stores Chrome Login Data Access Query Registry Anomaly
Windows Credentials from Password Stores Creation Credentials from Password Stores TTP
Powershell Remote Services Add TrustedHost Windows Remote Management TTP
Windows Debugger Tool Execution Masquerading Hunting
Detect Renamed PSExec Service Execution Hunting
CMD Carry Out String Command Parameter Windows Command Shell Hunting
Create or delete windows shares using net exe Network Share Connection Removal TTP
Windows Credentials from Password Stores Chrome LocalState Access Query Registry Anomaly
Windows Credentials from Password Stores Deletion Credentials from Password Stores TTP
Windows System Shutdown CommandLine System Shutdown/Reboot Anomaly
Windows User Deletion Via Net Account Access Removal Anomaly
PowerShell 4104 Hunting PowerShell Hunting
Windows Create Local Administrator Account Via Net Local Account Anomaly
Windows CAB File on Disk Spearphishing Attachment Anomaly
Detect PsExec With accepteula Flag SMB/Windows Admin Shares TTP
Windows Unusual SysWOW64 Process Run System32 Executable Break Process Trees Anomaly
Set Default PowerShell Execution Policy To Unrestricted or Bypass PowerShell TTP
Windows AutoIt3 Execution Command and Scripting Interpreter TTP
Windows PUA Named Pipe SMB/Windows Admin Shares, Process Injection, Inter-Process Communication Anomaly
Executables Or Script Creation In Suspicious Path Masquerading Anomaly
Execution of File with Multiple Extensions Rename Legitimate Utilities TTP
Windows Modify Registry DisableSecuritySettings Modify Registry TTP
Windows Access Token Manipulation SeDebugPrivilege Create Process with Token Anomaly
Non Chrome Process Accessing Chrome Default Dir Credentials from Web Browsers Anomaly
Windows Archive Collected Data via Rar Archive via Utility Anomaly
Detect Regasm Spawning a Process Regsvcs/Regasm TTP
Windows Modify Registry DontShowUI Modify Registry TTP
Windows Credentials from Password Stores Query Credentials from Password Stores Anomaly
Windows Modify Registry ProxyEnable Modify Registry Anomaly
Windows Credentials from Password Stores Chrome Extension Access Query Registry Anomaly

Data Sources

Name ▲▼ Platform ▲▼ Sourcetype ▲▼ Source ▲▼
Sysmon EventID 13 Windows icon Windows XmlWinEventLog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
CrowdStrike ProcessRollup2 Other crowdstrike:events:sensor crowdstrike
Sysmon EventID 1 Windows icon Windows XmlWinEventLog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Windows Event Log Security 4688 Windows icon Windows XmlWinEventLog XmlWinEventLog:Security
Sysmon EventID 11 Windows icon Windows XmlWinEventLog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 7 Windows icon Windows XmlWinEventLog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Windows Event Log Security 4663 Windows icon Windows XmlWinEventLog XmlWinEventLog:Security
Powershell Script Block Logging 4104 Windows icon Windows XmlWinEventLog XmlWinEventLog:Microsoft-Windows-PowerShell/Operational
Sysmon EventID 18 Windows icon Windows XmlWinEventLog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 17 Windows icon Windows XmlWinEventLog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Windows Event Log Security 4703 Windows icon Windows XmlWinEventLog XmlWinEventLog:Security

References

Source: GitHub | Version: 2