Infections with DarkGate malware have been increasing in recent weeks. DarkGate malware was first identified in 2017 but was only used in limited attacks as the developer chose to use the malware privately against highly specific targets; however, over the summer the malware started being advertised on Russian-language cybercriminal forums and the developer has recruited a limited number of affiliates under the malware-as-a-service model. Reportedly, the developer offered the malware for sale to 10 people for an annual cost of $100,000.
DarkGate malware is written in Delphi and primarily serves as a malware loader, capable of downloading and executing other malware payloads. Typically, the malware payloads are executed in the memory which makes them hard to detect, since no files are written to the disk. The malware can also steal browser histories and Discord tokens and has a Windows Defender exclusion, reverse shell, hidden VNC, and keylogging capabilities.
The malware uses a variety of mechanisms to evade detection, including conducting checks for identifiers used by virtual machines, sandboxes, and anti-virus solutions and will alter its behavior based on the results of the checks, and has persistence mechanisms to ensure it is reloaded on reboot.
The advertising campaign appears to have been successful as distribution of the malware has increased significantly through spamming and phishing campaigns. One of those phishing campaigns uses compromised Office 365 accounts to send phishing messages that deliver DarkGate malware via Microsoft Teams messages.
Researchers at TrueSec identified messages that tricked recipients into clicking a link in the message that directs the or a SharePoint-hosted file called “Changes to the vacation schedule.zip” with the message advising employees that due to circumstances out of the company’s control, vacation time for certain employees has been canceled. The Zip file contains a malicious LNK file which masquerades as a PDF file with the same name as the zip file. Clicking the file will launch a VBScript file that will ultimately lead to the downloading and execution of DarkGate malware. Microsoft has security features to block attacks such as this – Safe Attachments and Safe Links – but neither of these features identified the file or link as malicious.
Other distribution campaigns have been detected in recent months, including a malvertising campaign that uses Google Ads to direct web users to a malicious site where the malware is hosted. The web page used in this campaign offered a legitimate network scanning tool, and while that tool was provided, extra files were bundled with the installation file that executed DarkGate malware.
Businesses are encouraged to defend against attacks through a defense-in-depth approach, involving multiple layers of protection such as an advanced AI-driven spam filtering solution, web filter, and endpoint protection software. Web filters will protect against malvertising campaigns, redirects to malicious websites, and malicious file downloads from the web. The increases in the use of SMS, Teams, and instant messaging services for distributing malicious links means these methods of link distribution should be incorporated into your security awareness training programs.
If you are interested in improving email security, web security, and security awareness training, contact TitanHQ today for more information on SpamTitan, WebTitan, and SafeTitan.