Combine cutting-edge XDR technology, multi-signal threat intelligence and 24/7 Elite Threat Hunters to help you build a world-class security operation.
Our team delivers the fastest response time in the industry. Threat suppression within just 4 hours of being engaged.
Cyber risk and advisory programs that identify security gaps and build security strategies to address them.
24/7 SOC-as-a-Service with unlimited threat hunting and incident handling.
XDR with machine learning that eliminates noise, enables real-time detection and response, and automatically blocks threats.
Seamless integration and threat investigation across your existing tech stack.
Proactive threat intelligence, original threat research and a world-class team of seasoned industry veterans.
Extend your team capabilities and prevent business disruption with expertise from eSentire.
We balance automated blocks with rapid human-led investigations to manage threats.
Guard endpoints by isolating and remediating threats to prevent lateral spread.
Defend brute force attacks, active intrusions and unauthorized scans.
Investigation and threat detection across multi-cloud or hybrid environments.
Remediate misconfigurations, vulnerabilities and policy violations.
Investigate and respond to compromised identities and insider threats.
Stop ransomware before it spreads.
Meet regulatory compliance mandates.
Detect and respond to zero-day exploits.
End misconfigurations and policy violations.
Defend third-party and supply chain risk.
Prevent disruption by outsourcing MDR.
Adopt a risk-based security approach.
Meet insurability requirements with MDR.
Protect your most sensitive data.
Build a proven security program.
Operationalize timely, accurate, and actionable cyber threat intelligence.
THE THREAT On November 12th, Citrix disclosed two separate vulnerabilities identified in Citrix Session Recording, which impacted multiple versions of Citrix Virtual Apps and…
Oct 23, 2024THE THREAT On October 23rd, Fortinet disclosed an actively exploited critical zero-day vulnerability impacting multiple versions for FortiManager. The vulnerability, tracked…
eSentire is The Authority in Managed Detection and Response Services, protecting the critical data and applications of 2000+ organizations in 80+ countries from known and unknown cyber threats. Founded in 2001, the company’s mission is to hunt, investigate and stop cyber threats before they become business disrupting events.
We provide sophisticated cybersecurity solutions for Managed Security Service Providers (MSSPs), Managed Service Providers (MSPs), and Value-Added Resellers (VARs). Find out why you should partner with eSentire, the Authority in Managed Detection and Response, today.
Multi-Signal MDR with 300+ technology integrations to support your existing investments.
24/7 SOC-as-a-Service with unlimited threat hunting and incident handling.
Three MDR package tiers are available based on per-user pricing and level of risk tolerance.
The latest security advisories, blogs, reports, industry publications and webinars published by TRU.
Compare eSentire to other Managed Detection and Response vendors to see how we stack up against the competition.
See why 2000+ organizations globally have chosen eSentire for their MDR Solution.
In the beginning of 2024, eSentire's Threat Response Unit (TRU) observed an increase in DarkGate malware infections. DarkGate is a commodity loader initially discovered in 2018 but has seen success through multiple iterations over the past six years. The loader is delivered through a variety of methods, including Microsoft Teams chat messages with attached Zip archives containing script files, Visual Basic Scripts (VBS) embedded in external Skype messages, phishing links, malvertising campaigns, and fake browser updates.
DarkGate has been observed loading multiple different pieces of malware over the years, including Danabot and SocGholish. The malware has previously utilized AutoIt for loading and has abused CVE-2024-21412 (CVSS:8.1), an Internet Shortcut File (LNK) security feature bypass vulnerability.
We extensively covered DarkGate in our TRU Threat Intelligence Briefing in September 2023 and in November 2023, we published a TRU Positive on Danabot leading to the deployment of DarkGate.
In early 2024, eSentire’s TRU team received a quarantined malicious email for analysis. The subject line indicated that the email, masquerading as an invoice, originated externally (Figure 1).
The email included a PDF attachment named KA-6180574967.pdf (Figure 2).
Upon opening the PDF file, the user is met with a deceptive Chrome error page, urging them to download the file to view its contents (Figure 3).
The download link leads to a malicious URL with a ClickCease monitor in the initial segment, which is a Google-certified click-tracking service. The second part of the URL corresponds to the actual monitored destination where the user is redirected (Figure 4).
The final website initiates the download of an invoice themed Zip archive (Figure 5).
Upon extracting the contents of the Zip archive, the user encounters a malicious Internet Shortcut (URL) file masquerading as an invoice PDF document (Figure 6).
The URL file is configured to download and execute a malicious Portable Executable (PE) file named reader_update.exe, which masquerades as Adobe Reader (Figure 7).
In the analysis process, the Zip archive was downloaded, and contents were extracted to acquire the PE file
(Figure 8).
Upon analysis it was discovered that the fake Adobe update file was a compiled AutoIT script in the executable format.
Upon execution, this PE file carries out the following actions (Figure 9):
These files were manually downloaded for additional analysis (Figure 10).
Upon analysis of the files, it was discovered that:
The subsequent section of the script prepared the groundwork for payload execution (Figure 12).
The script file utilized characters from the test.txt file based on their positions (Figure 13).
We have developed a script to simplify the analysis of the obfuscated script file. The script replaces the variable data with static content sourced from the test.txt file, enhancing visual clarity.
After simplifying the obfuscated script using the provided Python script, it becomes evident that the first part of the code is dedicated to constructing the shellcode payload (Figure 14).
The second part of the code involves configuring data structures, adjusting memory protection for specific regions, and using a callback function within Windows API calls to execute code injection. The payload generated and executed is 46340 bytes in size.
API callback injection is a technique where a callback function is registered with a Windows API function, such as EnumWindows, and this function is executed when a particular event or condition is met. By passing a function pointer (callback function) to the API, the system calls this function at the appropriate time during the execution of the API function. In the context of code injection, malicious code or shellcode can be executed by manipulating the callback mechanism to point to the desired code instead of a legitimate function pointer, enabling an attacker to gain unauthorized access or perform malicious actions within the target process's address space. This method leverages the functionality of Windows API callbacks to stealthily inject and execute code, bypassing typical detection mechanisms and posing a significant security risk if exploited maliciously (Figure 15).
After conducting additional cleanup operations, the cleaned shellcode was successfully extracted and saved for further analysis (Figure 16).
Upon examination of the file in a hex editor, it was observed that the shellcode contains an MZ header. Subsequently, the PE file was extracted from the shellcode and saved separately for analysis (Figure 17).
Upon inspecting the file, it was determined that the program was compiled in Delphi. Consequently, the program was examined in a decompiler for additional analysis.
After performing further analysis, we were able to identify that a section of the code refers to the script.a3x file while searching for the string "OJytGrNE" (Figure 18).
Upon searching for this string in the hex editor, two instances of "OJytGrNE" were found, with one instance located at the end of the script (Figure 19).
The second instance was near the top of the script. Another noteworthy observation during the review of this section was the frequent repetition of the characters "CDq" (Figure 20).
An educated assumption led us to extract the portion of the file bounded by the string "OJytGrNE" and apply an XOR operation with the key "CDq" because of its repetitive pattern. The output is a PE file with a distorted MZ header (M replaced by I), which can be rectified manually (Figure 21).
When opened in a decompiler, an interesting string "6.1.9" was noted in the Delphi-compiled file, potentially indicating the version of the malware (Figure 22).
The specific code segment was responsible for extracting the encrypted malware configuration (0x401 bytes in size) and storing it in a separate location (Figure 23).
The identified malware configuration within the file is in an encrypted format, as shown below. The configuration initiates from the highlighted location at 0x45d524 and extends for 0x401 bytes up to 0x45d925 (Figure 24).
Subsequently, a key is generated from the string "ckcilIcconnh" to decrypt the encrypted configuration. The key is generated by XORing each character at a specific position with the difference between the key length and the position of that character in the string (Figure 25).
The subsequent code segment decrypts the malware configuration data by XORing the first byte of the encrypted configuration with the character at the first index of the generated key (Figure 26). Subsequently, each following byte in the configuration is XORed with the character at index 3 in the generated key (Figure 27).
We have created a DarkGate Configuration Extraction Script to streamline and automate this process, facilitating the extraction of the final configuration data.
The output generated from the execution of the script is shown below (Figure 26).
Output from the configuration extractor:
0=persikmonkiey7drone[.]com|
8=No
11=DarkGate
12=R0ijS0qCVITtS0e6xeZ
13=6
14=Yes
15=80
1=Yes
3=Yes
4=No
18=50
6=No
7=No
19=7000
5=No
21=No
22=No
23=Yes
25=admin888
26=No
27=OJytGrNE
28=No
29=6
tabla=VfRlH1jiw}*=0G9TEOqr2ZLQ3Y4Wc](uydn$Ssvmt7C.,[JBNhXzb"kax&pFK8o5UgDA)6IM eP{
DarkGate systematically scans for a wide range of antivirus software within the environment to identify the presence of malware effectively (Figure 27). The list of AVs checked by DarkGate includes Bitdefender, AVAST, AVG, Kaspersky, ESET, Avira, Norton, Symantec, Trend Micro, McAfee, SUPER AntiSpyware, Comodo, MalwareBytes, ByteFence, Search & Destroy, 360 Total Security, Total AV, IObit Malware Fighter, Panda Security, Emsisoft, Quick Heal, F-Secure, Sophos, Windows Defender, G Data, and Nod32. The function to detect the antivirus present on the host is as follows.
DarkGate injects shellcode into the microsoftedgeupdatecore.exe process using the following function for shellcode injection (Figure 28).
In the above image, a segment of 0x598 bytes starting from the section_injected point is replicated into the suspended microsoftedgeupdatecore.exe process at the entry point location. Following this action, the thread is resumed to initiate the execution process.
The code to be injected into the target process (section_injection) is depicted in the image below (Figure 29).
The injected shell walks the PEB to resolve WINAPIs for executing functions in the context of the microsoftedgeupdatecore.exe target process as shown in the image below. The API function names are present in the form of stack strings which are utilized in the resolution process (Figure 31).
The image below illustrates the transfer of the section on the right (section_injected) to the entry point of the microsoftedgeupdatecore.exe process via WriteProcessMemory. Subsequently, ResumeThread is invoked to execute the previously suspended process with the newly injected data (Figure 31).
The below image (Figure 32) of the call stack shows the following information during the above process:
DarkGate possesses various capabilities, such as initiating threads and adjusting privileges. It has the capability to add SeShutdownPrivilege; in case of failure, it invokes NtRaiseHardError and triggers a Blue Screen of Death (BSOD) as a fallback action. These options are shown in the image below (Figure 33).
DarkGate can emulate mouse click events, allowing it to simulate user interactions with the system through programmatically generated mouse clicks as shown in the image below (Figure 34).
Another capability of DarkGate is its ability to remove itself and any dropped files or artifacts in temporary directories or other locations where it may have been deposited during its execution. This feature ensures that DarkGate can cover its tracks and leave minimal trace of its activities on the system. This feature is depicted in the image below (Figure 35).
There have been newer versions of DarkGate that have not been directly observed by eSentire, though as of June 2024, the version outlined in this report continued to be observed. The new version changes the execution script from AutoIT to AutoHotKey, alongside varying delivery methods. These changes have been documented in reports from McAfee and Trellix.
MITRE ATT&CK Tactic |
ID |
MITRE ATT&CK Technique |
Description |
Reconnaissance |
T1592.002 |
Gather Victim Host Information: Software |
DarkGate identifies a large variety of anti-virus programs on the host |
Initial Access |
T1566.001 |
Phishing: Spearphishing Attachment |
DarkGate is delivered in emails through PDF documents |
Execution |
T1204.002 |
User Execution: Malicious File |
The user executed the initial file leading to the DarkGate infection |
Defense Evasion |
T1055 |
Process Injection |
DarkGate performs process injection using an AutoIT script, which utilizes the EnumWindows API (Callback code execution). Additionally, DarkGate executes process hollowing by writing malicious code to the MicrosoftEdgeUpdateCore.exe process, injecting shellcode into the .text section of the suspended process before resuming execution |
Defense Evasion |
T1027.013 |
Obfuscated Files or Information: Encrypted/Encoded File |
Darkgate has an XOR encrypted section within the AutoIT file which is used to retrieve the final payload |
Name |
IOC |
Download Link |
hxxps[://]monitor[.]clickcease[.]com//tracker/tracker?id=qf2024tFAUFIqOrNt72&adpos=&nw=a&url=//otiunmonisky2m[.]com/?utm_content=DyhfwDxSjV&session_id=CB26j6C51PI3UtIeH6Iy&id=HRqDe&filter=rPWHSFqbMG-qBptf&lang=es&locale=US |
Download Link |
hxxps[://]otiunmonisky2m[.]com/?utm_content=DyhfwDxSjV&session_id=CB26j6C51PI3UtIeH6Iy&id=HRqDe&filter=rPWHSFqbMG-qBptf&lang=es&locale=US |
KA-6180574967.pdf |
da5304f9ee30f6f677236558adf2025f |
Invoice2024021512.pdf.url: |
ba2f71cbf293606259b0878e1774e36d |
reader_update.zip URL |
193[.]178[.]210[.]226/documents/reader_update[.]zip |
reader_update.exe URL |
193[.]178[.]210[.]226/documents/reader_update[.]zip/reader_update[.]exe |
reader_update.zip |
0bb063d129162e8c93830fdbcf2ba416 |
reader_update.exe |
a74ae422391a22b5469135ae7f0cbf7d |
AutoIt3.exe URL |
hxxp[://]64[.]52[.]80[.]82/Autoit3[.]exe |
script.a3x URL |
hxxp[://]64[.]52[.]80[.]82/script[.]a3x |
test.txt URL |
hxxp[://]64[.]52[.]80[.]82/test[.]txt |
AutoIt3.exe |
c56b5f0201a3b3de53e561fe76912bfd |
script.a3x |
3a292ef66958f3a6e2684bea0d158aa3 |
test.txt |
c845f145f64264171c729ccaa2b86301 |
mal.bin (Initial Shellcode Loaded in Memory) |
5e1c16a9508e87147b85e368b2463e8f |
mal.bin_extracted (PE File Carved from Shellcode) |
28a242ae3e8c8a6d1b0ee0c59c1c9aa3 |
mal_encrypted.bin (XOR Encrypted Portion in A3X File) |
d6adba203537023a2ae4f582d0b5e1b9 |
mal_dropped.bin (XOR Decrypted version of mal_encrypted.bin with fixed MZ header) |
a825b1fec71bd128c16c05fbb763bc04 |
DarkGate C2 |
persikmonkiey7drone[.]com |
The eSentire Threat Response Unit (TRU) is an industry-leading threat research team committed to helping your organization become more resilient. TRU is an elite team of threat hunters and researchers that supports our 24/7 Security Operations Centers (SOCs), builds threat detection models across the eSentire XDR Cloud Platform, and works as an extension of your security team to continuously improve our Managed Detection and Response service. By providing complete visibility across your attack surface and performing global threat sweeps and proactive hypothesis-driven threat hunts augmented by original threat research, we are laser-focused on defending your organization against known and unknown threats.