Dark Gate malware campaign uses Samba file shares
Pierluigi Paganini
July 15, 2024
A Dark Gate malware campaign from March-April 2024 shows how attackers exploit legitimate tools and services to distribute malware.
Researchers from Palo Alto Networks Unit 42 have shared details about a DarkGate malware campaign from March-April 2024. Threat actors used Microsoft Excel files to download a malware package from public SMB file shares.
Researchers noted that malicious actors have creatively abused legitimate tools and services to spread their malware.
DarkGate RAT is written in Borland Delphi and is available in the cybercrime ecosystem as a Malware as a Service (MaaS) model. The malware is considered a sophisticated threat and is continuously improved.
DarkGate has been active since at least 2018, supporting various capabilities including process injection, file download and execution, information stealing, shell command execution, and keylogging capabilities. The malicious payload also uses several evasion techniques.
Financially motivated malicious actors have used the malware in attacks against organizations in North America, Europe, Asia, and Africa.
Unit 42 observed an increase in DarkGate activity following the disruption of Qakbot infrastructure in August 2023.
In March 2024, DarkGate actors launched a campaign using Microsoft Excel files, initially targeting North America but gradually expanding to Europe and Asia. Activity peaked on April 9, 2024, with nearly 2,000 samples detected in one day.
When opening the .xlsx file, recipients see a template containing a linked object for the Open button.
When a user clicks the Open button’s hyperlinked object, it retrieves and executes the contents of a URL that points to a publicly accessible Samba/SMB share hosting a VBS file.
Researchers have also seen attackers distributing JavaScript files from Samba shares
The EXCEL_OPEN_DOCUMENT.vbs file contains a large amount of unwanted code related to printer drivers, but it retrieves and executes a PowerShell script that downloads a DarkGate package based on AutoHotKey.
“Unmasked from test.txt and executed from system memory, this final DarkGate binary is known for its complex mechanisms to evade malware detection and analysis.” read the report. “One of the anti-analysis techniques employed by DarkGate is to identify the CPU of the targeted system. This can reveal whether the threat is running in a virtual environment or on a physical host, allowing DarkGate to shut down its operations to avoid being analyzed in a controlled environment.“
DarkGate also scans processes running on infected systems to check for the presence of scanning tools or virtualization software.
DarkGate uses unencrypted HTTP requests to communicate with C2 servers and the data is obfuscated to look like Base64 encoded text.
“Campaigns using this malware feature advanced infection techniques, leveraging both phishing strategies and approaches such as exploiting publicly accessible Samba shares,” the report concludes, which also includes indicators of compromise. “As DarkGate continues to evolve and refine its methods of infiltration and resistance to analysis, it remains a powerful reminder of the need for robust and proactive cybersecurity defenses.”“
Follow me on Twitter: @securityaffairs And Facebook And Mastodon
(Security Affairs – hacking, malware)