Hackers leverage the trustworthiness of widely used file formats like XLSX, HTML, and PDF to disseminate malware via phishing emails. Forcepoint researchers uncovered Darkgate malware’s propagation through such attachments, posing serious threats like data compromise and fraud. In a recent incident, a fraudulent Intuit Quickbooks invoice PDF duped recipients into downloading a malicious .jar file, masquerading as a Java installer, initiating a series of concealed downloads and executions.
The phishing emails employed in the Darkgate campaign resemble authentic invoices, enticing victims to click on links that facilitate malware installation. Analysis by Forcepoint X-Labs reveals the malware’s utilization of obfuscated AutoIt scripts and PowerShell commands to download and execute additional malicious payloads, including MSI files. These payloads exploit system resources and establish connections to remote servers, ultimately forming a botnet under the attackers’ control.
Darkgate’s sophisticated tactics, characterized by obfuscation and remote communication, underscore its status as an advanced persistent threat (APT). Its adept blending of professional techniques with historical URL patterns highlights its persistence and adaptability, posing substantial risks to targeted individuals and organizations. Thus, heightened awareness and robust security measures are imperative to safeguard against such pervasive threats in the cybersecurity landscape.
