Cyber attacks involving theoperation DarkGate malware-as-a-service (MaaS) have abandoned AutoIt scripts in favor of a AutoHotkey mechanism to deliver the final stages, underscoring ongoing efforts by anonymous cyber criminals to constantly stay abreast of detection measures.
The malware in question was already known previously since It disguises itself as a PDF file and until recently ran on popular instant messaging applications such as Skype and Microsoft Teams.
DarkGate and details on the evolution of cyber attacks
Updates regarding the malware have been seen in version 6 of DarkGate released in March 2024 by its developer RastaFarEyethat has sold the program on a subscription basis to approximately 30 customers; Operation DarkGate malware is estimated to have been active since at least 2018.
A full-featured Remote Access Trojan (RAT), DarkGate comes with command and control capabilities (also known as C2) and rootkits, e incorporates various modules for credential theft, keylogging and even screen capture and remote desktopa real James Bond made by virus, in short.
The word from the cybersecurity experts regarding the DarkGate operation
“DarkGate campaigns tend to adapt very quickly, modifying various components to try to evade security solutions,” has said Trellix security researcher Ernesto Fernández Provecho in an analysis on Monday. “This is the first time we find DarkGate using AutoHotKey, a not-so-common scripting interpreter, to launch DarkGate.“
It’s worth noting that DarkGate’s move to AutoHotKey was documented first by McAfee Labs in late April 2024, with exploitative attack chains security flaws such as CVE-2023-36025 and CVE-2024-21412 to bypass security protections Microsoft Defender SmartScreen using a Microsoft Excel or HTML attachment in phishing emails.
The exploitation of commonly used programs, such as those in the Office package, to convey malware
Alternative methods have been found to leverage Excel files with embedded macros as a conduit to execute a Visual Basic script file responsible for invoking PowerShell commands to ultimately launch an AutoHotKey script, which, in turn, recovers and decodes the DarkGate payload from a text file.
The latest version of DarkGate includes notable improvements in its configuration, evasion techniques and the list of supported commands, which now includes audio recording, mouse control and keyboard management functions.
What’s new in version 6 of DarkGate
“Version 6 not only includes new commands, but also lacks some of those from previous versions, such as privilege escalation, cryptomining or hVNC (Hidden Virtual Network Computing),” Fernández Provecho said, adding which could be an attempt to eliminate features that could allow detection.
“Furthermore, since DarkGate is sold to a small group of people, it is also possible that customers were not interested in these features, forcing RastaFarEye to remove them.”
The disclosure comes as cybercriminals have been found abusing Docusign by selling legitimate-looking customizable phishing templates in underground forums, turning the service into a breeding ground for phishers looking to steal credentials for phishing and email compromise scams business electronics (BEC).
“These fraudulent emails, meticulously designed to imitate legitimate document signature requests, lure unsuspecting recipients into clicking on malicious links or disclosing sensitive information,” Abnormal Security said.
#DarkGate #cyber #attacks #evolved
