Cybersecurity researchers have made light on a (thankfully!) short-lived campaign of the DarkGate malware that exploited Samba file shares to initiate infections.
How DarkGate Malware Was Stopped by Cybersecurity Experts
Palo Alto Networks’ Unit 42 group said that activity spanned March and April 2024, with DarkGate malware infection chains using publicly accessible Samba file share servers hosting Visual Basic Script (VBS) and JavaScript files; DarkGate malware targets included multiple countries across North America, Europe, and parts of Asia.
“This was a relatively short campaign that illustrates how cybercriminals can creatively abuse legitimate tools and services to distribute their malware.“, they have said security researchers Vishwa Thothathri, Yijie Sui, Anmol Maurya, Uday Pratap Singh, and Brad Duncan.
From the origins of the DarkGate malware to the end of its short life
According to past Fortinet publications, the DarkGate malware is appeared for the first time in 2018, it is evolved in a malware-as-a-service (MaaS) offering used by a small, controlled number of customers; this malware has the capabilities to remotely control compromised hosts, execute code, mine cryptocurrency, launch reverse shells, and release additional payloads.
Attacks involving the DarkGate malware have seen a significant increase in recent months, following the dismantling of QakBot infrastructure by law enforcement agencies of various nations in August of the year 2023.
Technical Analysis of DarkGate Malware
The campaign documented by Unit 42 begins with Microsoft Excel files (.xlsx) which, once opened, urge targets to click an “Open Embedded” buttonwhich in turn retrieves and runs VBS code hosted on a Samba file share.
The PowerShell script is configured to retrieve and execute a script in PowerShell, which is then used to download a DarkGate package based on programming language AutoHotKey (an open source scripting language for Microsoft Windows).
Alternative sequences that use JavaScript files instead of VBS are not that different in the end (if you are in the industry you know what I mean!), meaning that they are also designed to download and run the next PowerShell script.
In essence, the DarkGate malware It works by scanning various anti-malware programs and checking CPU information to determine whether it is running on a physical host or a virtual environment.thus allowing to hinder the analysis and therefore not be detected by antivirus and antimalware software; in addition to this, it also examines processes running on the host to determine the presence of reverse engineering tools (reverse engineering), debuggers and even virtualization programs (like VMWare, for example).
“C2 traffic [comando e controllo] DarkGate uses unencrypted HTTP requests, but the data is obfuscated and appears as Base64 encoded text“, the researchers said, adding: “As DarkGate continues to evolve and refine its methods of infiltration and resistance to analysis, remains a powerful reminder of the need for robust, proactive cybersecurity defenses.”
HTTPS vs HTTP: Why DarkGate Malware Uses HTTP Protocol
It should be noted that the requests are HTTP and not HTTPS and are not random and must be searched for. in the nature of the old HTTP protocol, now (almost) obsolete.
To put it very bluntly: The HTTP protocol does not establish a secure connection, and this therefore means that communication between your computer and a website server is at risk and this can lead to cyber criminals intercepting or stealing your data.
#DarkGate #Malware #Campaign