A recent increase in DarkGate malware activity has been linked to the developer’s decision to lease the malware to a select group of affiliates, Telekom Security reports.
The malware, named DarkGate, has been observed in a malspam campaign that exploits hijacked email threads to deceive victims into downloading the malicious software. Security researcher Igal Lytzki’s findings are a basis for the report, revealing a “high volume campaign” that uses this tactic to spread the malware.
DarkGate attacks begin with a phishing URL, leading victims to an MSI payload through a traffic direction system. A multi-stage process is triggered upon opening the MSI file, employing an AutoIt script to execute shellcode, which in turn decrypts and launches DarkGate using a crypter. Additionally, a Visual Basic Script variation has been observed, replacing the MSI file with cURL to retrieve the AutoIt executable and script file.
Sold predominantly on underground forums by a figure known as RastaFarEye, DarkGate comes with an array of capabilities, including evading security software, setting up persistence via Windows Registry changes, escalating privileges, and pilfering data from various applications. The malware interacts with a command-and-control (C2) server for tasks like data exfiltration, launching cryptocurrency miners, capturing screenshots remotely, and executing other commands.
DarkGate is available as a subscription ranging from $1,000 per day to $100,000 per year, being promoted as the “ultimate tool for pentesters/redteamers” with unique features. Notably, earlier versions of DarkGate also included a ransomware module.
Phishing attacks, such as those distributing DarkGate, continue to be a prominent delivery mechanism for malware, with cyber threat actors constantly enhancing their tactics. A recent HP Wolf Security report underscores email as the top vector for malware delivery, constituting 79% of threats detected in Q2 2023.
