Overview

DarkGate is a malware family that has been active since 2017 but has recently been associated with a significant surge in operations and targeting. DarkGate is a multi-purpose malware toolkit that includes features for evading detection, escalating privileges, remote code execution, keylogging, and data theft from web browsers and Discord. The malware applies various techniques such as obfuscating malicious code in AutoIT scripts and the utilisation of shellcode to decrypt and launch the final payload.

Throughout recent months, the rate of DarkGate malware deployment has increased via several cyber -attack vectors, including phishing and malvertising. Intelligence has revealed that phishing campaigns linked to the deployment of DarkGate malware contains a malicious VBScript that triggers the infection chain leading to the installation of the loader.

The malware was initially advertised for rent by a threat actor named ‘RastaFarEye’, with cryptocurrency being the only accepted form of payment. As of the time of writing, the price for renting DarkGate ranges from US$1,000 for one day to US$100,000 per year.

A new Microsoft Teams phishing campaign was recently detected that was associated with the delivery of malicious attachments, resulting in the installation of the DarkGate Loader malware. As with previous campaigns, the attack chain involved the phishing messages being sent by compromised external Office 365 accounts to target organisations. It has been assessed to be highly likely that the recent spike in DarkGate operations is to be attributed to the developer renting the malware to a limited number of affiliates.