Try in Splunk Security Cloud
Description
Telekom Security CTI has uncovered a new phishing-driven malware campaign distributing DarkGate malware. This campaign utilizes stolen email threads to trick users into downloading malicious payloads via hyperlinks. An initial false link to Emotet stirred the security community, but deeper analysis confirmed its true identity as DarkGate, with characteristics like AutoIt scripts and a known command-and-control protocol. This report by Fabian Marquardt details the intricate infection mechanisms, including MSI and VBS file deliveries, sophisticated evasion techniques, and a robust configuration extraction method surpassing current standards. The single developer behind DarkGate, active on cybercrime forums, has shifted the malware’s use from private to a rent-out model, implying an expected rise in its deployment. Researchers have also developed a decryption technique for the DarkGate malware, which aids in static analysis and detection, though it requires careful validation to avoid false positives.
- Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
- Datamodel: Authentication, Endpoint
- Last Updated: 2023-10-31
- Author: Michael Haag, Splunk
- ID: a4727b27-9e68-48f0-94a2-253cfb30c15d
Narrative
Telekom Security CTi has recently put a spotlight on the proliferation of DarkGate malware via a sophisticated malspam campaign, initially mistaken for the notorious Emotet malware. The campaign smartly manipulates stolen email conversations, embedding hyperlinks that, once clicked, activate a malware download. Fabian Marquardt’s analysis traces the infection’s footprint, revealing a dual delivery mechanism through MSI and VBS files. These files, cloaked in legitimate wrappers or obscured with junk code, ultimately download the malware via embedded scripts.
Marquardt delves into the AutoIt script-based infection, uncovering the calculated use of compiled scripts and base64-encoded data to disguise the execution of malicious shellcode. The subsequent stages of infection exhibit the malware’s capability to evade detection, leveraging memory allocation techniques to bypass security measures. Marquardt also explores the loader’s function, which decrypts further malicious payloads by interacting with the script’s encoded components.
The analytical narrative captures a cross-section of the cybersecurity landscape, reflecting the shift in DarkGate’s operational strategy from exclusive use by the developer to a broader dissemination through a Malware-as-a-Service (MaaS) model. This transition suggests an anticipated escalation in DarkGate-related attacks.
Significantly, the report contributes to cybersecurity defenses by outlining a more effective method for extracting malware configurations, providing the community with the means to anticipate and mitigate the evolving threats posed by this pernicious malware. With the insights gained, researchers and security professionals are better equipped to adapt their strategies, constructing more robust defenses against the sophisticated tactics employed by DarkGate and similar malware strains.
Detections
Name |
Technique |
Type |
CMD Carry Out String Command Parameter |
Windows Command Shell, Command and Scripting Interpreter |
Hunting |
Cmdline Tool Not Executed In CMD Shell |
Command and Scripting Interpreter, JavaScript |
TTP |
Create local admin accounts using net exe |
Local Account, Create Account |
TTP |
Create or delete windows shares using net exe |
Indicator Removal, Network Share Connection Removal |
TTP |
Delete ShadowCopy With PowerShell |
Inhibit System Recovery |
TTP |
Deleting Of Net Users |
Account Access Removal |
TTP |
Deleting Shadow Copies |
Inhibit System Recovery |
TTP |
Detect PsExec With accepteula Flag |
Remote Services, SMB/Windows Admin Shares |
TTP |
Detect Regasm Spawning a Process |
System Binary Proxy Execution, Regsvcs/Regasm |
TTP |
Detect Renamed PSExec |
System Services, Service Execution |
Hunting |
Executables Or Script Creation In Suspicious Path |
Masquerading |
Anomaly |
Execution of File with Multiple Extensions |
Masquerading, Rename System Utilities |
TTP |
Non Chrome Process Accessing Chrome Default Dir |
Credentials from Password Stores, Credentials from Web Browsers |
Anomaly |
Non Firefox Process Access Firefox Profile Dir |
Credentials from Password Stores, Credentials from Web Browsers |
Anomaly |
PowerShell 4104 Hunting |
Command and Scripting Interpreter, PowerShell |
Hunting |
Powershell Remote Services Add TrustedHost |
Windows Remote Management, Remote Services |
TTP |
Registry Keys Used For Persistence |
Registry Run Keys / Startup Folder, Boot or Logon Autostart Execution |
TTP |
Set Default PowerShell Execution Policy To Unrestricted or Bypass |
Command and Scripting Interpreter, PowerShell |
TTP |
Suspicious Process File Path |
Create or Modify System Process |
TTP |
System Processes Run From Unexpected Locations |
Masquerading, Rename System Utilities |
Anomaly |
Windows Access Token Manipulation SeDebugPrivilege |
Create Process with Token, Access Token Manipulation |
Anomaly |
Windows Archive Collected Data via Rar |
Archive via Utility, Archive Collected Data |
Anomaly |
Windows AutoIt3 Execution |
Command and Scripting Interpreter |
TTP |
Windows CAB File on Disk |
Spearphishing Attachment |
Anomaly |
Windows Credentials from Password Stores Chrome Extension Access |
Query Registry |
Anomaly |
Windows Credentials from Password Stores Chrome LocalState Access |
Query Registry |
Anomaly |
Windows Credentials from Password Stores Chrome Login Data Access |
Query Registry |
Anomaly |
Windows Credentials from Password Stores Creation |
Credentials from Password Stores |
TTP |
Windows Credentials from Password Stores Deletion |
Credentials from Password Stores |
TTP |
Windows Credentials from Password Stores Query |
Credentials from Password Stores |
Anomaly |
Windows Debugger Tool Execution |
Masquerading |
Hunting |
Windows Indicator Removal Via Rmdir |
Indicator Removal |
Anomaly |
Windows MSIExec Spawn WinDBG |
Msiexec |
TTP |
Windows Modify Registry AuthenticationLevelOverride |
Modify Registry |
Anomaly |
Windows Modify Registry DisableRemoteDesktopAntiAlias |
Modify Registry |
TTP |
Windows Modify Registry DisableSecuritySettings |
Modify Registry |
TTP |
Windows Modify Registry DontShowUI |
Modify Registry |
TTP |
Windows Modify Registry ProxyEnable |
Modify Registry |
Anomaly |
Windows Modify Registry ProxyServer |
Modify Registry |
Anomaly |
Windows System Reboot CommandLine |
System Shutdown/Reboot |
Anomaly |
Windows System Shutdown CommandLine |
System Shutdown/Reboot |
Anomaly |
Windows Unsigned DLL Side-Loading In Same Process Path |
DLL Side-Loading, Hijack Execution Flow |
TTP |
Windows WinDBG Spawning AutoIt3 |
Command and Scripting Interpreter |
TTP |
Reference
source | version: 1