DarkGate Malware Report

DarkGate is a malware family that has been active since 2017 but has recently been associated with a significant surge in operations and targeting. DarkGate is a multi-purpose malware toolkit that includes features for evading detection, escalating privileges, remote code execution, keylogging, and data theft from web browsers and Discord. The malware applies various techniques such as obfuscating malicious code in AutoIT scripts and the utilisation of shellcode to decrypt and launch the final payload.

Throughout recent months, the rate of DarkGate malware deployment has increased via several cyber -attack vectors, including phishing and malvertising. Intelligence has revealed that phishing campaigns linked to the deployment of DarkGate malware contains a malicious VBScript that triggers the infection chain leading to the installation of the loader.

The malware was initially advertised for rent by a threat actor named ‘RastaFarEye’, with cryptocurrency being the only accepted form of payment. As of the time of writing, the price for renting DarkGate ranges from US$1,000 for one day to US$100,000 per year.

A new Microsoft Teams phishing campaign was recently detected that was associated with the delivery of malicious attachments, resulting in the installation of the DarkGate Loader malware. As with previous campaigns, the attack chain involved the phishing messages being sent by compromised external Office 365 accounts to target organisations. It has been assessed to be highly likely that the recent spike in DarkGate operations is to be attributed to the developer renting the malware to a limited number of affiliates.

Impact

DarkGate is a potent malware that supports a wide range of malicious operations, including cryptocurrency mining, reverse shell establishment, keylogging, clipboard and system information stealing. As such, installation of the malware on target systems will almost certainly result in the compromise of the integrity of data.

Incident Detection

Recent campaigns have shown that DarkGate is continually developing via the addition of new components and obfuscation techniques to conceal its infection chain. However, a comprehensive endpoint detection and response (EDR) solution, such as Microsoft Defender, can provide additional protection against malware threats like that implemented by DarkGate. EDR solutions can alert system users of potential breaches and prevent further progress prior to the malware implementing significant damage.