eSentire is The Authority in Managed Detection and Response Services, protecting the critical data and applications of 2000+ organizations in 80+ countries from known and unknown cyber threats. Founded in 2001, the company’s mission is to hunt, investigate and stop cyber threats before they become business disrupting events.
We provide sophisticated cybersecurity solutions for Managed Security Service Providers (MSSPs), Managed Service Providers (MSPs), and Value-Added Resellers (VARs). Find out why you should partner with eSentire, the Authority in Managed Detection and Response, today.
In the beginning of 2024, eSentire's Threat Response Unit (TRU) observed an increase in DarkGate malware infections. DarkGate is a commodity loader initially discovered in 2018 but has seen success through multiple iterations over the past six years. The loader is delivered through a variety of methods, including Microsoft Teams chat messages with attached Zip archives containing script files, Visual Basic Scripts (VBS) embedded in external Skype messages, phishing links, malvertising campaigns, and fake browser updates.
DarkGate has been observed loading multiple different pieces of malware over the years, including Danabot and SocGholish. The malware has previously utilized AutoIt for loading and has abused CVE-2024-21412 (CVSS:8.1), an Internet Shortcut File (LNK) security feature bypass vulnerability.
In early 2024, eSentire’s TRU team received a quarantined malicious email for analysis. The subject line indicated that the email, masquerading as an invoice, originated externally (Figure 1).
Figure 1: Phishing email subject line
The email included a PDF attachment named KA-6180574967.pdf (Figure 2).
Figure 2: Embedded PDF attachment viewed in EML file
Upon opening the PDF file, the user is met with a deceptive Chrome error page, urging them to download the file to view its contents (Figure 3).
Figure 3: Deceptive Chrome error page
The download link leads to a malicious URL with a ClickCease monitor in the initial segment, which is a Google-certified click-tracking service. The second part of the URL corresponds to the actual monitored destination where the user is redirected (Figure 4).
Figure 4: Redirect URL
The final website initiates the download of an invoice themed Zip archive (Figure 5).
Figure 5: Final page serving the ZIP archive containing the Internet Shortcut file
Upon extracting the contents of the Zip archive, the user encounters a malicious Internet Shortcut (URL) file masquerading as an invoice PDF document (Figure 6).
Figure 6: Internet Shortcut file disguising as a PDF document
The URL file is configured to download and execute a malicious Portable Executable (PE) file named reader_update.exe, which masquerades as Adobe Reader (Figure 7).
Figure 7: The content of the Internet Shortcut file
In the analysis process, the Zip archive was downloaded, and contents were extracted to acquire the PE file (Figure 8).
Figure 8: Retrieved ZIP archive with AutoIt script
Upon analysis it was discovered that the fake Adobe update file was a compiled AutoIT script in the executable format.
DarkGate Malware Analysis
Upon execution, this PE file carries out the following actions (Figure 9):
Creates a directory at C:\test
Downloads three files (AutoIt3.exe, script.a3x, and test.txt) into this folder
Executes Autoit3.exe with the argument script.a3x
Figure 9: The deobfuscated AutoIt script
These files were manually downloaded for additional analysis (Figure 10).
Figure 10: Additional files retrieved from the previous AutoIt script
Upon analysis of the files, it was discovered that:
AutoIt3.exe was the legitimate AutoIt3 executable
test.txt contained text data
script.a3x was a compiled AutoIT script
Decompiling the script using myAutToExe revealed an obfuscated AutoIT script
The initial portion of the script opened test.txt, split its contents by character, and utilized concatenation to set a variable value across multiple lines (Figure 11)
Figure 11: The contents of script.a3x file
The subsequent section of the script prepared the groundwork for payload execution (Figure 12).
Figure 12: Obfuscated characters
The script file utilized characters from the test.txt file based on their positions (Figure 13).
After simplifying the obfuscated script using the provided Python script, it becomes evident that the first part of the code is dedicated to constructing the shellcode payload (Figure 14).
Figure 14: Shellcode payload ($SFEPMTKC)
The second part of the code involves configuring data structures, adjusting memory protection for specific regions, and using a callback function within Windows API calls to execute code injection. The payload generated and executed is 46340 bytes in size.
API callback injection is a technique where a callback function is registered with a Windows API function, such as EnumWindows, and this function is executed when a particular event or condition is met. By passing a function pointer (callback function) to the API, the system calls this function at the appropriate time during the execution of the API function. In the context of code injection, malicious code or shellcode can be executed by manipulating the callback mechanism to point to the desired code instead of a legitimate function pointer, enabling an attacker to gain unauthorized access or perform malicious actions within the target process's address space. This method leverages the functionality of Windows API callbacks to stealthily inject and execute code, bypassing typical detection mechanisms and posing a significant security risk if exploited maliciously (Figure 15).
Figure 15: Leveraging API callbacks for code injection
After conducting additional cleanup operations, the cleaned shellcode was successfully extracted and saved for further analysis (Figure 16).
Upon examination of the file in a hex editor, it was observed that the shellcode contains an MZ header. Subsequently, the PE file was extracted from the shellcode and saved separately for analysis (Figure 17).
Figure 17: Shellcode containing the MZ header
Upon inspecting the file, it was determined that the program was compiled in Delphi. Consequently, the program was examined in a decompiler for additional analysis.
After performing further analysis, we were able to identify that a section of the code refers to the script.a3x file while searching for the string "OJytGrNE" (Figure 18).
Figure 18: String "OJytGrNE" found in the extracted file
Upon searching for this string in the hex editor, two instances of "OJytGrNE" were found, with one instance located at the end of the script (Figure 19).
Figure 19: String “OJytGrNE” found at the end of the script.a3x
The second instance was near the top of the script. Another noteworthy observation during the review of this section was the frequent repetition of the characters "CDq" (Figure 20).
Figure 20: String "OJytGrNE" found at the beginning of the script.a3x
An educated assumption led us to extract the portion of the file bounded by the string "OJytGrNE" and apply an XOR operation with the key "CDq" because of its repetitive pattern. The output is a PE file with a distorted MZ header (M replaced by I), which can be rectified manually (Figure 21).
Figure 21: XOR decryption of the DarkGate payload
When opened in a decompiler, an interesting string "6.1.9" was noted in the Delphi-compiled file, potentially indicating the version of the malware (Figure 22).
Figure 22: Version of the DarkGate being analyzed
The specific code segment was responsible for extracting the encrypted malware configuration (0x401 bytes in size) and storing it in a separate location (Figure 23).
Figure 23: The code responsible for extracting the DarkGate configuration
The identified malware configuration within the file is in an encrypted format, as shown below. The configuration initiates from the highlighted location at 0x45d524 and extends for 0x401 bytes up to 0x45d925 (Figure 24).
Figure 24: Encrypted DarkGate configuration
Subsequently, a key is generated from the string "ckcilIcconnh" to decrypt the encrypted configuration. The key is generated by XORing each character at a specific position with the difference between the key length and the position of that character in the string (Figure 25).
The subsequent code segment decrypts the malware configuration data by XORing the first byte of the encrypted configuration with the character at the first index of the generated key (Figure 26). Subsequently, each following byte in the configuration is XORed with the character at index 3 in the generated key (Figure 27).
Figure 25: Decryption routine
We have created a DarkGate Configuration Extraction Script to streamline and automate this process, facilitating the extraction of the final configuration data.
The output generated from the execution of the script is shown below (Figure 26).
Figure 26: Generated output from the decryption script
DarkGate systematically scans for a wide range of antivirus software within the environment to identify the presence of malware effectively (Figure 27). The list of AVs checked by DarkGate includes Bitdefender, AVAST, AVG, Kaspersky, ESET, Avira, Norton, Symantec, Trend Micro, McAfee, SUPER AntiSpyware, Comodo, MalwareBytes, ByteFence, Search & Destroy, 360 Total Security, Total AV, IObit Malware Fighter, Panda Security, Emsisoft, Quick Heal, F-Secure, Sophos, Windows Defender, G Data, and Nod32. The function to detect the antivirus present on the host is as follows.
Figure 27: The function that detects if antivirus is present
DarkGate injects shellcode into the microsoftedgeupdatecore.exe process using the following function for shellcode injection (Figure 28).
Figure 28: DarkGate injecting shellcode into microsoftedgeupdatecore.exe
In the above image, a segment of 0x598 bytes starting from the section_injected point is replicated into the suspended microsoftedgeupdatecore.exe process at the entry point location. Following this action, the thread is resumed to initiate the execution process.
The code to be injected into the target process (section_injection) is depicted in the image below (Figure 29).
Figure 29: The code which is injected into the process
The injected shell walks the PEB to resolve WINAPIs for executing functions in the context of the microsoftedgeupdatecore.exe target process as shown in the image below. The API function names are present in the form of stack strings which are utilized in the resolution process (Figure 31).
Figure 30: API functions as stack strings
The image below illustrates the transfer of the section on the right (section_injected) to the entry point of the microsoftedgeupdatecore.exe process via WriteProcessMemory. Subsequently, ResumeThread is invoked to execute the previously suspended process with the newly injected data (Figure 31).
Figure 31: ResumeThread invoked to execute process with newly injected data
The below image (Figure 32) of the call stack shows the following information during the above process:
0x390: Handle to the microsoftedgeupdatecore.exe process.
0x67CF40: Address of the target process's entry point where the shellcode is intended to be written.
0x2333070: Address of the buffer within the current process to be copied.
0x598: Size of the shellcode to be copied.
0x300FF04: Memory location that stores the number of bytes successfully written after the call is executed.
Figure 32: Call stack prior to WriteProcessMemory API call
DarkGate possesses various capabilities, such as initiating threads and adjusting privileges. It has the capability to add SeShutdownPrivilege; in case of failure, it invokes NtRaiseHardError and triggers a Blue Screen of Death (BSOD) as a fallback action. These options are shown in the image below (Figure 33).
Figure 33: DarkGate capabilities
DarkGate can emulate mouse click events, allowing it to simulate user interactions with the system through programmatically generated mouse clicks as shown in the image below (Figure 34).
Figure 34: DarkGate emulating mouse click events
Another capability of DarkGate is its ability to remove itself and any dropped files or artifacts in temporary directories or other locations where it may have been deposited during its execution. This feature ensures that DarkGate can cover its tracks and leave minimal trace of its activities on the system. This feature is depicted in the image below (Figure 35).
Figure 35: Darkgate removing itself
There have been newer versions of DarkGate that have not been directly observed by eSentire, though as of June 2024, the version outlined in this report continued to be observed. The new version changes the execution script from AutoIT to AutoHotKey, alongside varying delivery methods. These changes have been documented in reports from McAfee and Trellix.
DarkGate identifies a large variety of anti-virus programs on the host
Initial Access
T1566.001
Phishing: Spearphishing Attachment
DarkGate is delivered in emails through PDF documents
Execution
T1204.002
User Execution: Malicious File
The user executed the initial file leading to the DarkGate infection
Defense Evasion
T1055 T1055.012
Process Injection Process Hollowing
DarkGate performs process injection using an AutoIT script, which utilizes the EnumWindows API (Callback code execution). Additionally, DarkGate executes process hollowing by writing malicious code to the MicrosoftEdgeUpdateCore.exe process, injecting shellcode into the .text section of the suspended process before resuming execution
Defense Evasion
T1027.013
Obfuscated Files or Information: Encrypted/Encoded File
Darkgate has an XOR encrypted section within the AutoIT file which is used to retrieve the final payload
mal_encrypted.bin (XOR Encrypted Portion in A3X File)
d6adba203537023a2ae4f582d0b5e1b9
mal_dropped.bin (XOR Decrypted version of mal_encrypted.bin with fixed MZ header)
a825b1fec71bd128c16c05fbb763bc04
DarkGate C2
persikmonkiey7drone[.]com
eSentire Threat Response Unit (TRU)
The eSentire Threat Response Unit (TRU) is an industry-leading threat research team committed to helping your organization become more resilient. TRU is an elite team of threat hunters and researchers that supports our 24/7 Security Operations Centers (SOCs), builds threat detection models across the eSentire XDR Cloud Platform, and works as an extension of your security team to continuously improve our Managed Detection and Response service. By providing complete visibility across your attack surface and performing global threat sweeps and proactive hypothesis-driven threat hunts augmented by original threat research, we are laser-focused on defending your organization against known and unknown threats.
Cookies allow us to deliver the best possible experience for you on our website - by continuing to use our website or by closing this box, you are consenting to our use of cookies. Visit our Privacy Policy to learn more.
