Cyber Threats
In this blog entry, we discuss a social engineering attack that tricked the victim into installing a remote access tool, triggering DarkGate malware activities and an attempted C&C connection.
Read time: ( words)
Summary
- The Trend Micro Managed Detection and Response (MDR) team analyzed an incident wherein an attacker used social engineering via a Microsoft Teams call to impersonate a user’s client and gain remote access to their system.
- The attacker failed to install a Microsoft Remote Support application but successfully instructed the victim to download AnyDesk, a tool commonly used for remote access.
- After gaining access to the machine, the attacker dropped multiple suspicious files. One of the suspicious files was detected as Trojan.AutoIt.DARKGATE.D.
- A series of commands executed by Autoit3.exe led to the connection to a potential command-and-control server and the subsequent download of a malicious payload.
- Persistent files and a registry entry were created on the victim’s machine, though the attack was ultimately thwarted before exfiltration occurred.
Using Vision One, we observed a recent security incident in which a user was targeted by an attacker posing as an employee of a known client on a Microsoft Teams call. This led to the user being instructed to download the remote desktop application AnyDesk, which then facilitated the deployment of DarkGate malware. DarkGate, distributed via an AutoIt script, enabled remote control over the user’s machine, executed malicious commands, gathered system information, and connected to a command-and-control server. In this blog entry, we discuss how this breach was carried out in several stages, emphasizing the need for robust security measures and heightened awareness against social engineering attacks.
Initial entry
From this example incident, the intruder employedsocial manipulation was used to influence the victim and gain entry and command of a computer system. The victim recounted receiving a large number of emails before getting a call on Microsoft Teams from someone claiming to be an employee of an external supplier. During this call, the victim was told to install the Microsoft Remote Support application, but the installation from the Microsoft Store failed. Subsequently, the perpetrator directed the victim to download AnyDesk through a web browser and coerced her into providing her AnyDesk login credentials. The act of pretending to be IT support and inundating potential victims with emails is a tactic previously documented in a blog post by Microsoft.
During the call, the victim was directed to acquire the Microsoft Remote Support application. However, the installation through the Microsoft Store failed. The perpetrator then instructed the victim to download AnyDesk from its official website via a browser and manipulated the user to input her credentials into AnyDesk.
Implementation
The launch of AnyDesk.exe occurred moments after downloading the application. The command executed is as shown:
“C:Users<user>DownloadsAnyDesk.exe” –local-service
This command triggers the AnyDesk remote desktop application and initiates it as a local service on the system, enabling it to function with elevated privileges or in a minimized/automated manner.
A short while later, cmd.exe was activated to initiate rundll32.exe and load SafeStore.dll, likely deposited by AnyDesk.exe.
processCmd: “C:WindowsSystem32cmd.exe”
eventSubId: 2 – TELEMETRY_PROCESS_CREATE
objectFilePath: c:windowssystem32rundll32.exe
objectCmd: rundll32.exe SafeStore.dll,epaas_request_clone
The root cause analysis (RCA) by Vision One in Figure 4 indicates a DLL side-loading technique where rundll32.exe was utilized to execute an exported function in Safestore.dll named epaas_request_clone (Figure 3). The DLL has multiple functions that can be leveraged to implement the malware (Figure 4).
The launch of Safestore.dll, initially named epaas_client.dll, triggers a login prompt for entering credentials (Figure 5).
While the deceptive form was operational, numerous malicious commands were executing in the background, irrespective of the user providing any credentials. The executed commands are as follows:
- cmd /c systeminfo – furnishes detailed information regarding the system’s setup, including the OS version, hardware specifications, memory, network adapter details, and system uptime.
- cmd /c route print – presents the current network routing table, illustrating how network traffic is routed to different destinations based on the system’s network configuration.
- cmd /c ipconfig /all – offers comprehensive information about all network interfaces on the system, including IP addresses, subnet masks, gateways, DNS servers, and other network details.
Storing all the collected data from the system in 123.txt may aid in system recognition (Figure 6).
DarkGate A3x script
The executable file SystemCert.exe (SHA256: 4e291266399bd8db27da0f0913c041134657f3b1cf45f340263444c050ed3ee1), which we assumed originated from AnyDesk.exe, was executed and generated script.a3x and Autoit3.exe in the C:Temptest directory (Figure 7).
Once the script.a3x and AutoIt3.exe files are established, the malicious script script.a3x is initiated using the command cmd c:temptestAutoIt3.exe c:temptestscript.a3x.
The encrypted AutoIt payload script.a3x decrypts itself in memory as shellcode and inserts itself into remoteoperations:Microsoft Edge Update Core
Conclusion
The DarkGate malware exhibits sophisticated evasion techniques and a multi-stage attack strategy. Understanding the behavior of such malware is crucial for effective defense against similar threats. It is recommended to implement robust security measures and stay vigilant against evolving cyber threats.
identifier:name:ddadcae
Data in registry value: “C:ProgramDatafcdcdfcAutoit3.exe” C:ProgramDatafcdcdfcbbbckdb.a3x
Value type in registry:1
Conclusions and suggestions for security
Upon analysis of the case at hand, the breach was thwarted before the attacker could meet their goal. There were no indications of data exfiltration activities. DarkGate is typically disseminated through tactics such as phishing emails, malvertising, and SEO manipulation. Nonetheless, in this instance, the assailant opted for voice phishing (vishing) to entice the victim. This vishing strategy has also been highlighted by Microsoft, wherein the attacker exploited QuickAssist to infiltrate its target for ransomware propagation.
To shield themselves against threats of this nature discussed in this blog post, organizations can adopt the subsequent recommended guidelines:
- Thoroughly validate third-party technical support providers. Although legitimate third-party technical support services do exist, organizations must validate any claims of vendor association before granting remote access to corporate systems. To evaluate and authorize remote access tools like AnyDesk, organizations should establish cloud validation processes that scrutinize their security adherence and the credibility of their providers.
- Enlist verified remote access tools and restrict any unverified software. Integrating multi-factor authentication (MFA) on remote access tools fortifies protection by mandating multiple layers of verification beforesystem access is granted. This discourages malevolent tools from being exploited to gain control over internal devices.
- Conduct employee training to cultivate awareness regarding social engineering tactics, phishing efforts, and the hazards of unsolicited assistance calls or pop-ups. A well-informed workforce is less susceptible to social engineering ploys, reinforcing the organization’s overall security posture.
To effectively counter the changing threat landscape, organizations should prioritize a multilayered security strategy. Solutions like Trend Micro Apex One™ with XDR offer an encompassing security-as-a-service (SaaS) solution, granting full access to XDR capabilities in Trend Vision One™ for detecting, responding to, and enhancing cyberattack prevention. Furthermore, Trend Micro™ Managed XDR, an integral part of Trend Service One™, contributes significantly by delivering around-the-clock monitoring, defense, and detection for continuous protection against emerging threats.
Trend Micro Vision One Threat Intelligence
To stay ahead of evolving threats, Trend Micro customers can access a range of Intelligence Reports and Threat Insights within Trend Micro Vision One. Threat Insights aids customers in preempting cyber threats and better prepares them for emerging threats. It furnishes comprehensive insights on threat actors, their nefarious activities, and the methodologies they employ. By leveraging this intelligence, customers can proactively fortify their environments, mitigate risks, and effectively counter threats.
Trend Micro Vision One Intelligence Reports App [IOC Sweeping]
- Vishing via Microsoft Teams Facilitates DarkGate Malware Intrusion
- Spike in DarkGate Activity – with a new version and new infrastructure
- A new DARKGATE campaign was observed
Trend Micro Vision One Threat Insights App
Hunting Queries
Trend Micro Vision One Search App
To search for probable malicious activities linked to DarkGate, the below query may be employed. This threat hunting query identifies the presence of Autoit3 and script files (.a3x) that are generated and executed. Please note that this alert could also be triggered by regular activities.
- eventSubId: 101 – TELEMETRY_FILE_CREATE
- eventSubId: 2 – TELEMETRY_PROCESS_CREATE
eventSubId:101 andeventSubId:2 and (objectCmd:(Autoit3.exe or *.a3x) or processCmd:(Autoit3.exe or *.a3x))
More search queries are accessible to Vision One customers with Threat Insights Entitlement enabled.
Indicators of Compromise (IOCs)
| SHA256 | Indicator | Detection |
| 1cbda9a3f202e7aacc57bcf3d43ec7b1ca42564a947d6b5a778df90cddef079a | SafeStore.dll | Trojan.Win64.DARKGATE.A |
| 4e291266399bd8db27da0f0913c041134657f3b1cf45f340263444c050ed3ee1 | SystemCert.exe | Trojan.Win32.DARKGATE.E |
| faa54f7152775fa6ccaecc2fe4a6696e5b984dfa41db9a622e4d3e0f59c82d8b | StaticSrv.exe | Trojan.Win32.DARKGATE.E |
| bb56354cdb241de0051b7bcc7e68099e19cc2f26256af66fad69e3d2bc8a8922 | script.a3x | Trojan.AutoIt.DARKGATE.D |
| e4d13af4bfc3effe4f515c2530b1b182e18ad0c0a3dacac4dd80d6edcf0b007a | spamfilter_v1.4331.vbs | Trojan.VBS.DARKGATE.B |
| URL/IP | Rating | Category |
| 179.60.149.194 | Dangerous | C&C Server |
| hxxp://179[.]60[.]149[.]194:8080/fdgjsdmt | Dangerous | Malware Accomplice |
Tags
