Cyber attacks involving the DarkGate malware-as-a-service (MaaS) operation have recently evolved, shifting from AutoIt scripts to an AutoHotkey mechanism for the final stages of delivery. This change underscores the ongoing cybersecurity efforts by threat actors to evade detection.
The latest updates have been observed in DarkGate version 6, released in March 2024 by its developer RastaFarEye, who markets the program on a subscription basis to up to 30 customers. DarkGate, active since at least 2018, is a fully-featured remote access trojan (RAT) equipped with command-and-control (C2) and rootkit capabilities. It includes various modules for credential theft, keylogging, screen capturing, and remote desktop access, highlighting its significance in cybersecurity threats.
Trellix security researcher Ernesto Fernández Provecho observed in a Monday analysis that DarkGate campaigns quickly adapt by modifying various components to evade security solutions. He emphasized that this is the first time DarkGate has employed AutoHotKey, a relatively uncommon scripting interpreter, to deploy the malware.
McAfee Labs first documented DarkGate’s shift to AutoHotKey in late April 2024. Attack chains have been leveraging security flaws like CVE-2023-36025 and CVE-2024-21412 to bypass Microsoft Defender SmartScreen protections. These flaws are exploited using Microsoft Excel or HTML attachments in phishing emails.
Alternative methods have also been identified. For instance, Excel files with embedded macros can execute a Visual Basic Script file, which then invokes PowerShell commands to launch an AutoHotKey script. For example, Excel files containing embedded macros can run a Visual Basic Script file, which subsequently triggers PowerShell commands to initiate an AutoHotKey script.
The latest version of DarkGate introduces significant upgrades to its configuration, evasion techniques, and the list of supported commands. New features now include audio recording, mouse control, and keyboard management. However, some features present in previous versions, such as privilege escalation, cryptomining, and hVNC (Hidden Virtual Network Computing), have been removed. Fernández Provecho suggested this might be an effort to eliminate features that could trigger detection. Additionally, since DarkGate is sold to a limited number of customers, it is possible that the demand for these features was low, prompting RastaFarEye to remove them.
In a related incident, cyber criminals have been taking advantage of Docusign by selling realistic, customizable phishing templates on underground forums. This misuse has made Docusign a hotspot for phishers who want to steal credentials for phishing and business email compromise (BEC) scams. Abnormal Security reported that “these fraudulent emails are carefully designed to look like legitimate document signing requests, tricking unsuspecting recipients into clicking on malicious links or sharing sensitive information.”
These advancements and strategies underscore the ever-evolving landscape of cyber threats and the constant need for updated security measures to combat sophisticated malware operations like DarkGate. As threat actors continue to adapt, staying ahead of the detection curve remains a critical challenge for cybersecurity professionals.
For more such news visit, tech-news.in
