DarkGate is a complete toolkit that provides attackers with extensive capabilities to fully compromise victim systems. Darkgate is loader/botnet malware. DarkGate malware has been out there since 2017.
The analysis mentioned in our report is based on the analysis of the files below.
SHA256:1fb6b8bed3a67ee4225f852c3d90fd2b629f2541ab431b4bd4d9d9f5bbd2c4b7 |
In the DLL Side-loading stage, pure EXE files in the wild and malicious DLL file pairs such as windbg.exe and malicious dbgeng.dll or KeyScrambler.exe and KeyScrambler.dll are used. Malicious DLL reads `data.bin`, which is extracted from MSI, and gets an additional payload to decrypt `data2.bin`, which contains AutoIt launcher and Autoit script. The rest of the process is the same as VBScript.
DarkGate encodes important constant strings in binary or data in C2 communication with Base64.
zLAxuU0kQKf3sWE7ePRO2imyg9GSpVoYC6rhlX48ZHnvjJDBNFtMd1I5acwbqT+= |
DarkGate loads configuration saved in binary. In the case of the C2 server address, it is encoded in custom Base64. Other DarkGate settings are stored as plain text in the binary or encoded through Custom Base64. Plain DarkGate settings are formed as follows,
DarkGate detects installed anti-virus into ten types listed below.
We now talk about the malicious actions that DarkGate can do. Because there are too many commands that C2 can send, we categorized those commands for better explanation.
Keylogging executes immediately after initial setup, regardless of the C2 command.
We can see that software created by NirSoft is used to steal various types of information.
DarkGate performs various malicious actions by utilizing programs or processes related to the browser
method is using PsExec to obtain SYSTEM privileges
Software\Microsoft\Windows\CurrentVersion\Internet Settings
— Key: ProxyEnable
— Key: ProxyServer
DarkGate supports remote control through the display. Attackers can use virtual display via Hidden VNC or Hidden AnyDesk
DarkGate also supports the use of traditional reverse shells. However, interaction with the reverse shell must be done through DarkGate
Attackers can enable the test mode of some functions or debug messages to check DarkGate status.
Tactic | Technique | ID | Use | GRA Detection |
Initial Access | Phishing: Spearphishing Attachment | T1566.001 | 1 | |
Persistence | Boot or Logon AutoStart Execution: Registry Run Keys / Startup Folder | (T1547.001) | 19 | |
Privilege Escalation | Process Injection: Process Hollowing | (T1055.012) | 1 | |
Defense Evasion | Access Token Manipulation: Parent PID Spoofing | (T1134.004) | 5 | |
Defense Evasion | Hijack Execution Flow | (T1574.002) | 2 | |
Defense Evasion | Indicator Removal | (T1070.004) | 6 | |
Defense Evasion | Process Injection: Process Hollowing | (T1055.012) | 1 | |
Credential Access | Credentials from Password Stores (T1555) | T1083 | 6 | |
Credential Access | Credentials from Web Browsers | (T1555.003) | 8 | |
Credential Access | Steal Web Session Cookie | (T1555.003) | 2 | |
Discovery | Browser Information Discovery | (T1217) | 4 | |
Collection | Archive Collected Data: Archive via Utility | (T1560.001) | 4 | |
Command and Control | Application Layer Protocol: Web Protocols | (T1071.001) | 2 | |
Command and Control | Remote Access Software | (T1219) | 14 | |
Exfiltration | Exfiltration Over C2 Channel | (T1041) | 1 | |
Impact | System Shutdown/Reboot | (T1529) | 3 |
About the Author:
Rudra Pratap, Security Research Manager, Gurucul
Rudra Pratap is a Security Research Manager and heads Threat Research at Gurucul with over 12 years of experience in security research and development. Rudra’s expertise spans a wide range of cybersecurity domains, including cloud & endpoint protection, threat detection & response and advanced persistent threats (APTs). He has authored multiple research papers and presented at conferences, sharing insights on topics such as industry threats and cyber espionage campaigns. With a strong background in security research, Rudra has made significant contributions to industry giants like Microsoft and FireEye.