Threat Research

DarkGate Malware

DarkGate is a complete toolkit that provides attackers with extensive capabilities to fully compromise victim systems. Darkgate is loader/botnet malware. DarkGate malware has been out there since 2017.

Infection Chain:

The analysis mentioned in our report is based on the analysis of the files below.

SHA256:1fb6b8bed3a67ee4225f852c3d90fd2b629f2541ab431b4bd4d9d9f5bbd2c4b7

DarkGate Malware

DarkGate Malware

In the DLL Side-loading stage, pure EXE files in the wild and malicious DLL file pairs such as windbg.exe and malicious dbgeng.dll or KeyScrambler.exe and KeyScrambler.dll are used. Malicious DLL reads `data.bin`, which is extracted from MSI, and gets an additional payload to decrypt `data2.bin`, which contains AutoIt launcher and Autoit script. The rest of the process is the same as VBScript.

DarkGate Final payload

C2 Communication

DarkGate encodes important constant strings in binary or data in C2 communication with Base64.

DarkGate Malware

 

 

zLAxuU0kQKf3sWE7ePRO2imyg9GSpVoYC6rhlX48ZHnvjJDBNFtMd1I5acwbqT+=

Configuration

DarkGate loads configuration saved in binary. In the case of the C2 server address, it is encoded in custom Base64. Other DarkGate settings are stored as plain text in the binary or encoded through Custom Base64. Plain DarkGate settings are formed as follows,

AntiVirus Bypass Detections:

DarkGate detects installed anti-virus into ten types listed below.

DarkGate Malware

DarkGate Malware

DarkGate Functionalities:

We now talk about the malicious actions that DarkGate can do. Because there are too many commands that C2 can send, we categorized those commands for better explanation.

DarkGate Malware

Keylogging

Keylogging executes immediately after initial setup, regardless of the C2 command.

DarkGate Malware

Collect Information

DarkGate Malware

Manage Files

DarkGate Malware

Steal Credentials

We can see that software created by NirSoft is used to steal various types of information.

DarkGate Malware

Remove Data/Backups

DarkGate performs various malicious actions by utilizing programs or processes related to the browser

Privilege Escalation

method is using PsExec to obtain SYSTEM privileges

DarkGate Malware

Inspect Network

Software\Microsoft\Windows\CurrentVersion\Internet Settings

— Key: ProxyEnable

— Key: ProxyServer

DarkGate Malware

GUI Control

DarkGate supports remote control through the display. Attackers can use virtual display via Hidden VNC or Hidden AnyDesk

DarkGate Malware

Reverse Shell

DarkGate also supports the use of traditional reverse shells. However, interaction with the reverse shell must be done through DarkGate

DarkGate Malware

Run & Manage Processes

Managing DarkGate

Attackers can enable the test mode of some functions or debug messages to check DarkGate status.

MITRE ATT&CK TACTICS AND TECHNIQUES Covered by GRA:

 

Tactic Technique ID Use GRA Detection
Initial Access Phishing: Spearphishing Attachment T1566.001 1
Persistence Boot or Logon AutoStart Execution: Registry Run Keys / Startup Folder (T1547.001) 19
Privilege Escalation Process Injection: Process Hollowing (T1055.012) 1
Defense Evasion Access Token Manipulation: Parent PID Spoofing (T1134.004) 5
Defense Evasion Hijack Execution Flow (T1574.002) 2
Defense Evasion Indicator Removal (T1070.004) 6
Defense Evasion Process Injection: Process Hollowing (T1055.012) 1
Credential Access Credentials from Password Stores (T1555) T1083 6
Credential Access Credentials from Web Browsers (T1555.003) 8
Credential Access Steal Web Session Cookie (T1555.003) 2
Discovery Browser Information Discovery (T1217) 4
Collection Archive Collected Data: Archive via Utility (T1560.001) 4
Command and Control Application Layer Protocol: Web Protocols (T1071.001) 2
Command and Control Remote Access Software (T1219) 14
Exfiltration Exfiltration Over C2 Channel (T1041) 1
Impact System Shutdown/Reboot (T1529) 3

 

About the Author:Rudra Pratap

Rudra Pratap, Security Research Manager, Gurucul

Rudra Pratap is a Security Research Manager and heads Threat Research at Gurucul with over 12 years of experience in security research and development. Rudra’s expertise spans a wide range of cybersecurity domains, including cloud & endpoint protection, threat detection & response and advanced persistent threats (APTs). He has authored multiple research papers and presented at conferences, sharing insights on topics such as industry threats and cyber espionage campaigns. With a strong background in security research, Rudra has made significant contributions to industry giants like Microsoft and FireEye.