|Type of Malware||Cryptocurrency mining, crypto stealing, ransomware|
|Date of initial activity||2017|
|Motivation||Ransomware attack, credential stealing, remote-access takeovers, and cryptomining|
|Attack Vectors||Torrent files|
|Targeted System||Windows devices mainly in Europe|
Darkgate is a multifunction malware active since December 2017 which combines ransomware, credential stealing, and RAT and cryptomining abilities. Targeting mostly the Windows OS, DarkGate employs a variety of evasion techniques.
Mainly used to attack companies that specialize in finance, consumer goods, and energy. It is also used to attack the manufacturing industry.
Tools/ Techniques Used
DarkGate malware is capable of avoiding detection by several AV products, and of executing multiple payloads including cryptocurrency mining, crypto stealing, ransomware, and the ability to remotely take control of the endpoint. One of the unique techniques used by the DarkGate malware lies within its multi-stage unpacking method. The first file executed is an obfuscated VBScript file, which functions as a dropper and performs several actions. The torrent files, according to enSilo’s blog post are responsible for distributing this malware are disguised as famous entertainment offerings such as The Walking Dead and Campeones, etc. However, actually, these files execute infected VBscripts on the victim’s computer. After infecting the machine, the malware first interacts with the C&C server to initiate the mining process and later it performs several other attacks.
The critical elements of the DarkGate malware are that it:
- Leverages a C&C infrastructure cloaked in legitimate DNS records from legitimate services, including Akamai CDN and AWS, which helps it avoid reputation-based detection techniques
- Uses multiple methods for avoiding detection by traditional AV using vendor-specific checks and actions, including the use of the process hollowing technique
- Has the ability to evade the elimination of critical files by several known recovery tools
- Uses two distinct User Account Control (UAC) bypass techniques to escalate privileges
- Is capable of detonating multiple payloads with capabilities that include cryptocurrency mining, crypto stealing (theft of credentials associated with crypto wallets), ransomware, and remote control