Recent DarkGate Activity & Trends

Introduction

DarkGate is a malware family, dating back to 2018, that gained prominence after the demise of Qakbot with a Malware-as-a-Service (MaaS) offering advertised in underground cybercrime forums starting in the summer of 2023. This blog examines DarkGate intrusion trends observed by ThreatLabz between June and October 2023. 

Key Takeaways

  • DarkGate activity surged in late September and early October 2023.
  • According to our customer telemetry, the technology sector is the most impacted by DarkGate attack campaigns.  
  • Most DarkGate domains are 50 to 60 days old, which may indicate a deliberate approach where threat actors create and rotate domains at specific intervals.

Trend 1: DarkGate activity surges in late September, early October

To better understand DarkGate distribution trends, the ThreatLabz team analyzed hostnames, registration information, IP addresses, website content, and any recent patterns that emerged.

Increase in DarkGate domains

Our analysis revealed that there was a significant rise in the number of active DarkGate domains during the last week of September 2023. This means that more DarkGate websites associated with illegal activities were active during this specific time period.

Uptick in DarkGate transactions 

DarkGate transactions increased in late September and into October. Notably, there was a substantial spike in transactions on October 10, 2023. This suggests that the threat actors behind Darkgate were particularly active during this time, possibly executing a series of attacks.

This DarkGate transaction data was compiled by observing the Zscaler cloud. Each time an infected machine made contact with a C2 server was counted as a transaction.

Figure 1: Illustrates spikes in DarkGate command-and-control (C2) activity by date

Figure 1: Illustrates spikes in DarkGate command-and-control (C2) activity by date

Trend 2: Technology sector most targeted by DarkGate

Based on analysis of our customer telemetry, the technology industry is the most targeted by DarkGate at 36.7%. Food, beverage, and tobacco come in second at 12.7%. 

Figure 3: Industries most targeted by DarkGate

Figure 2: Industries most targeted by DarkGate

Trend 3: Most DarkGate domains are 50 to 60 days old

ThreatLabz found a concentrated level of activity (such as serving websites, handling transactions, or participating in network communications) among hostnames that have been in existence for 50-60 days. The fact that DarkGate domains follow this pattern could indicate that threat actors are taking a systematic approach where they create and rotate domains at specific intervals. Most likely, this intentional pattern perpetrated by threat actors is a way of evading security measures that target known malicious domains.

Figure 4: Age distribution of DarkGate domains based on transaction volume

Figure 3: Age distribution of DarkGate domains based on transaction volume

Conclusion

The recent surge in DarkGate’s activity can be attributed to its use as a replacement for Qakbot. In addition to staying on top of the threat of DarkGate malware, Zscaler’s ThreatLabz team continuously monitors for new and emerging threats and shares its findings with the wider security community.

Zscaler Coverage & Indicators of Compromise (IOCs)

Zscaler’s multilayered cloud security platform detects indicators related to DarkGate at various levels. Zscaler Sandbox played a particularly crucial role in analyzing the behavior of various files. Through this sandbox analysis, the threat scores and specific MITRE ATT&CK techniques triggered were identified, as illustrated in the screenshot provided below. Zscaler’s advanced threat protection capabilities and comprehensive zero trust approach empowers cybersecurity professionals with critical insights into malware behavior, enabling them to effectively detect and counter the threats posed by malicious actors.

  • Win64.Downloader.DarkGate
  • Win32.Trojan.DarkGate
  • Win64.Trojan.DarkGate
  • LNK.Downloader.DarkGate
  • VBS.Downloader.DarkGate
  • JS.Downloader.DarkGate

Figure 5: Zscaler Cloud Sandbox

Figure 4: Zscaler Cloud Sandbox 

MITRE ATT&CK TTP’s 

Tactic Technique ID Technique ID
Initial Access T1566 Phishing
Execution
  • T1204
  • T1059
  • T1569
  • User Execution 
  • Command and Scripting Interpreter 
  • System Services
Persistence T1547 Boot or Logon Start Execution

Defense Evasion 

  • T1027 
  • T1070.004 
  • T1202 
  • T1564.001
  • T1140
  • Obfuscated Files or Information 
  • File Deletion
  • Indirect Command Execution 
  • Hidden Files and Directories  
  • Deobfuscate/Decode Files for Information
Credential Access
T1555.003
Credentials from Web Browsers
Discovery
  • T1016
  • T1083
  • T1057
  • T1082
  • System Network Configuration Discovery
  • File and Directory Discovery
  • Process Discovery
  • System Information Discovery
Command and Control T1071 Application Layer Protocol

Indicators of Compromise (IoCs)

  • Phishing PDF: 55f16d7f0a1683f32b946c03bdda79ca
  • Malicious DLL: a2fb0b0d34d71073cd037e872d40ea14
  • Encoded AutoIt Script: 0ea7d1a7ad1b24835ca0b2fc6c51c15a
  • AutoIt Loader Benign: c56b5f0201a3b3de53e561fe76912bfd
  • DarkGate Payload: f242ce468771de8c7a23568a3b03a5e2
  • Malicious ZIP: d2efccdb50c7450e8a99fec37a805ce6
  • LNK File: 7791017a97289669f5f598646ef6d517
  • Phishing PDF: 803103fe4b32c86fb3f382ee17dfde44 
  • Malicious ZIP: 0a341353e5311d8f01f582425728e1d7 
  • VBS File: 3df59010997ed2d70c5f7095498b3b3f
  • Encoded AutoIt Script: 660bc32609a1527c90990158ef449757
  • AutoIt Loader Benign: c56b5f0201a3b3de53e561fe76912bfd 
  • DarkGate Payload: 9bf2ae2da16e9a975146c213abd7cd4f
  • Malicious ZIP: 9f93952e425110de34e00ebd6d6daab3 
  • VBS File: c78dfe0f9b4fd732c8e99eb495ed9958
  • Encoded AutoIt Script: 660bc32609a1527c90990158ef449757
  • AutoIt Loader Benign: c56b5f0201a3b3de53e561fe76912bfd
  • DarkGate Payload: 9bf2ae2da16e9a975146c213abd7cd4f
  • Malicious ZIP: 54e65e96d2591106a2c41168803c77ff
  • JS File: 57cfc3b0b53e856c78b47867d7013516
  • Phishing Email: 0a50d4ea1a9d36f0c65de0e78eacbe95
  • PDF document: 097cbe9af6e66256310023ff2fbadac6
  • Malicious CAB File: 6ecd98dfd52136cff6ed28ef59b3f760
  • MSI File: 8ef6bc142843232614b092fac948562d
  • CAB file dropped from MSI: a169cebb4009ecfb62bb8a1faf09182f

Command-and-control (C2)

  • ​​luxury-event-rentals[.]com
  • drvidhya[.]in
  • alianzasuma[.]com
  • cpm.com[.]py
  • corialopolova[.]com
  • skylineprodutora[.]com.br
  • medsure[.]com.br
  • humanrecruitasia[.]com
  • journeotravel[.]com
  • skylineprodutora.com[.]br
  • ahantadevnet[.]org
  • yellowstone[.]com.mm
  • asiaprofessionals[.]net
  • axecapital[.]ro
  • semquedagotas[.]com.br
  • reverasuplementos[.]fun
  • tikwave[.]site
  • grupec[.]com.co
  • chatpipoca[.]net
  • ncsinternationalcollege[.]com
  • gatraders.com[.]pk
  • ibuytech[.]pk
  • winstonandfriendz[.]ca
  • skincaremulher[.]fun
  • adam-xii-rpl.my[.]id
  • mycopier.com[.]my
  • japaaesthetics[.]com
  • msteamseyeappstore[.]com
  • youth[.]digital
  • roundstransports[.]com
  • mfleader.com[.]ar
  • fefasa[.]hn
  • nile-cruiise-egypt[.]com
  • flyforeducation[.]com
  • expertaitalia[.]eu
  • plataformaemrede[.]com.br
  • runnerspacegifts[.]com/umn/
  • kiwifare[.]net
  • getldrrgoodgame[.]com
  • hmas[.]mx
  • darkgate[.]com
  • 5.188.87.58
  • 5.42.77.33
  • 45.144.28.244
  • 94.228.169.123
  • 94.228.169[.]143[:]2351/
  • 94.228.169[.]143[:]8080/
  • 66.42.110.147
  • 94.131.106.78
  • 88.119.175.245
  • 45.32.222.253
  • grupowcm[.]com[.]br
  • thekhancept[.]com
  • eelontech[.]com
  • bligevale[.]co[.]zw
  • dhtech[.]ae
  • techs[.]com
  • gsrhrservices[.]com
  • glowriters[.]com
  • a2zfortextile[.]com
  • alpileannn[.]com
  • boutiquedhev[.]com
  • hypothequeswestisland[.]com
  • onetabmusic[.]com
  • sirishareddy[.]info
  • appapi[.]store
  • sictalks[.]com
  • nia-dbrowntestserver[.]com[.]ng
  • ofc[.]ai
  • unasd[.]org
  • plusmag[.]ro
  • beautifullike[.]com
  • gsrglobal[.]org
  • winstonandfriendz[.]ca
  • divinfosystem[.]com
  • supershuttles[.]co[.]za
  • ziaintegracion[.]com
  • themarijuanashow[.]com
  • blackshine[.]lk
  • deroze[.]net
  • vtektv[.]com
  • dna-do-gamer[.]com
  • kalismprivateltd[.]co[.]uk
  • arshany[.]com
  • kelotecnologia[.]com
  • millennialradio[.]es
  • phomecare.co.uk

Source: https://www.zscaler.com/blogs/security-research/recent-darkgate-activity-trends