In a recent and significant move, the DarkGate malware has left AutoIt scripts behind, instead adopting the use of AutoHotkey for the final stages of its attacks. This change, identified in DarkGate version 6 released in March 2024 by the developer known as RastaFarEye, shows cybercriminals’ constant efforts to stay one step ahead of security solutions.
Innovation in Malware Delivery
DarkGate, active since at least 2018, is a sophisticated remote access trojan (RAT) that offers command and control (C2) capabilities and rootkit functions. It is designed with modules for credential theft, keylogging, screenshot capture, and remote desktop control. Recently, McAfee Labs researchers documented DarkGate’s use of AutoHotkey in April 2024, a strategy that uses vulnerabilities such as CVE-2023-36025 and CVE-2024-21412 to bypass Microsoft Defender SmartScreen protections via attachments in phishing emails.
Infection Techniques
DarkGate campaigns use a variety of methods to infect systems. One recent approach involves using Excel files with embedded macros that run Visual Basic scripts, which then invoke PowerShell commands to launch an AutoHotkey script. This script downloads and decodes the DarkGate payload from a text file, thereby bypassing traditional cybersecurity defenses.
Improvements in Version 6
DarkGate version 6 not only includes new functionality, but has also removed some features from previous versions to reduce the possibility of detection. Among the new capabilities are audio recording, mouse control, and keyboard management. However, features such as privilege escalation, cryptomining, and HVNC (Hidden Virtual Network Computing) have been removed. Ernesto Fernandez Provecho, a security researcher at Trellix, suggests that these modifications may be a response to the specific demands of customers who purchase DarkGate.
Broader Context
In addition to the updates to DarkGate, there has been an increase in the abuse of legitimate services such as Docusign, with cybercriminals selling customizable phishing templates on underground forums. These templates, designed to mimic legitimate document signing requests, seek to trick recipients into clicking on malicious links or revealing sensitive information.
Conclusion
DarkGate’s constant evolution underscores the dynamic nature of today’s cyber threats. For organizations, it is crucial to stay on top of these advanced tactics and continually update their defense strategies. Collaboration between security researchers and the implementation of proactive measures are essential to mitigate the risks associated with sophisticated malware such as DarkGate.