The Gatekeeper’s Secrets: DarkGate Malware Analysis

Introduction

In the beginning of 2024, eSentire’s Threat Response Unit (TRU) observed an increase in DarkGate malware infections. DarkGate is a commodity loader initially discovered in 2018 but has seen success through multiple iterations over the past six years. The loader is delivered through a variety of methods, including Microsoft Teams chat messages with attached Zip archives containing script files, Visual Basic Scripts (VBS) embedded in external Skype messages, phishing links, malvertising campaigns, and fake browser updates.

DarkGate has been observed loading multiple different pieces of malware over the years, including Danabot and SocGholish. The malware has previously utilized AutoIt for loading and has abused CVE-2024-21412 (CVSS:8.1), an Internet Shortcut File (LNK) security feature bypass vulnerability.

We extensively covered DarkGate in our TRU Threat Intelligence Briefing in September 2023 and in November 2023, we published a TRU Positive on Danabot leading to the deployment of DarkGate

Initial Infection Analysis

In early 2024, eSentire’s TRU team received a quarantined malicious email for analysis. The subject line indicated that the email, masquerading as an invoice, originated externally (Figure 1).

Phishing email subject line used to deploy DarkGate malware.
Figure 1: Phishing email subject line

The email included a PDF attachment named KA-6180574967.pdf (Figure 2).

Embedded PDF attachment viewed in EML file used to deploy DarkGate malware.
Figure 2: Embedded PDF attachment viewed in EML file

Upon opening the PDF file, the user is met with a deceptive Chrome error page, urging them to download the file to view its contents (Figure 3).

Deceptive Chrome error page used to deploy DarkGate malware.
Figure 3: Deceptive Chrome error page

The download link leads to a malicious URL with a ClickCease monitor in the initial segment, which is a Google-certified click-tracking service. The second part of the URL corresponds to the actual monitored destination where the user is redirected (Figure 4).

Redirect URL used to deploy DarkGate malware.
Figure 4: Redirect URL

The final website initiates the download of an invoice themed Zip archive (Figure 5).

Final page serving the ZIP archive containing the Internet Shortcut file used to deploy DarkGate malware.
Figure 5: Final page serving the ZIP archive containing the Internet Shortcut file

Upon extracting the contents of the Zip archive, the user encounters a malicious Internet Shortcut (URL) file masquerading as an invoice PDF document (Figure 6).

Internet Shortcut file disguising as a PDF document used to deploy DarkGate malware.
Figure 6: Internet Shortcut file disguising as a PDF document

The URL file is configured to download and execute a malicious Portable Executable (PE) file named reader_update.exe, which masquerades as Adobe Reader (Figure 7).

The content of the Internet Shortcut file used to deploy DarkGate malware.
Figure 7: The content of the Internet Shortcut file

In the analysis process, the Zip archive was downloaded, and contents were extracted to acquire the PE file
(Figure 8).

Retrieved ZIP archive with AutoIt script used to deploy DarkGate malware.
Figure 8: Retrieved ZIP archive with AutoIt script

Upon analysis it was discovered that the fake Adobe update file was a compiled AutoIT script in the executable format.

DarkGate Malware Analysis

 Upon execution, this PE file carries out the following actions (Figure 9):

  • Creates a directory at C:test
  • Downloads three files (AutoIt3.exe, script.a3x, and test.txt) into this folder
  • Executes Autoit3.exe with the argument script.a3x
The deobfuscated AutoIt script used to deploy DarkGate malware.
Figure 9: The deobfuscated AutoIt script

These files were manually downloaded for additional analysis (Figure 10).

Additional files retrieved from the previous AutoIt script used to deploy DarkGate malware.
Figure 10: Additional files retrieved from the previous AutoIt script

Upon analysis of the files, it was discovered that:

  • AutoIt3.exe was the legitimate AutoIt3 executable
  • test.txt contained text data
  • script.a3x was a compiled AutoIT script
  • Decompiling the script using myAutToExe revealed an obfuscated AutoIT script
  • The initial portion of the script opened test.txt, split its contents by character, and utilized concatenation to set a variable value across multiple lines (Figure 11)
The contents of script.a3x file used to deploy DarkGate malware.
Figure 11: The contents of script.a3x file

The subsequent section of the script prepared the groundwork for payload execution (Figure 12).

Obfuscated characters used to deploy DarkGate malware.
Figure 12: Obfuscated characters

The script file utilized characters from the test.txt file based on their positions (Figure 13).

Content of test.txt file used to deploy DarkGate malware.
Figure 13: Content of test.txt file

We have developed a script to simplify the analysis of the obfuscated script file. The script replaces the variable data with static content sourced from the test.txt file, enhancing visual clarity.

After simplifying the obfuscated script using the provided Python script, it becomes evident that the first part of the code is dedicated to constructing the shellcode payload (Figure 14).

Shellcode payload ($SFEPMTKC) used to deploy DarkGate malware.
Figure 14: Shellcode payload ($SFEPMTKC)

The second part of the code involves configuring data structures, adjusting memory protection for specific regions, and using a callback function within Windows API calls to execute code injection. The payload generated and executed is 46340 bytes in size.

API callback injection is a technique where a callback function is registered with a Windows API function, such as EnumWindows, and this function is executed when a particular event or condition is met. By passing a function pointer (callback function) to the API, the system calls this function at the appropriate time during the execution of the API function. In the context of code injection, malicious code or shellcode can be executed by manipulating the callback mechanism to point to the desired code instead of a legitimate function pointer, enabling an attacker to gain unauthorized access or perform malicious actions within the target process’s address space. This method leverages the functionality of Windows API callbacks to stealthily inject and execute code, bypassing typical detection mechanisms and posing a significant security risk if exploited maliciously (Figure 15).

Leveraging API callbacks for code injection used to deploy DarkGate malware.
Figure 15: Leveraging API callbacks for code injection

After conducting additional cleanup operations, the cleaned shellcode was successfully extracted and saved for further analysis (Figure 16).

Cleaned-up shellcode (Source: CyberChef) used to deploy DarkGate malware.
Figure 16: Cleaned-up shellcode (Source: CyberChef)

Upon examination of the file in a hex editor, it was observed that the shellcode contains an MZ header. Subsequently, the PE file was extracted from the shellcode and saved separately for analysis (Figure 17).

Shellcode containing the MZ header used to deploy DarkGate malware.
Figure 17: Shellcode containing the MZ header

Upon inspecting the file, it was determined that the program was compiled in Delphi. Consequently, the program was examined in a decompiler for additional analysis.

After performing further analysis, we were able to identify that a section of the code refers to the script.a3x file while searching for the string “OJytGrNE” (Figure 18).

String "OJytGrNE" found in the extracted file used to deploy DarkGate malware.
Figure 18: String “OJytGrNE” found in the extracted file

Upon searching for this string in the hex editor, two instances of “OJytGrNE” were found, with one instance located at the end of the script (Figure 19).

String “OJytGrNE” found at the end of the script.a3x used to deploy DarkGate malware.
Figure 19: String “OJytGrNE” found at the end of the script.a3x

The second instance was near the top of the script. Another noteworthy observation during the review of this section was the frequent repetition of the characters “CDq” (Figure 20).

String "OJytGrNE" found at the beginning of the script.a3x used to deploy DarkGate malware.
Figure 20: String “OJytGrNE” found at the beginning of the script.a3x

An educated assumption led us to extract the portion of the file bounded by the string “OJytGrNE” and apply an XOR operation with the key “CDq” because of its repetitive pattern. The output is a PE file with a distorted MZ header (M replaced by I), which can be rectified manually (Figure 21).

XOR decryption of the DarkGate payload used to deploy DarkGate malware.
Figure 21: XOR decryption of the DarkGate payload

When opened in a decompiler, an interesting string “6.1.9” was noted in the Delphi-compiled file, potentially indicating the version of the malware (Figure 22).

Version of the DarkGate being analyzed used to deploy DarkGate malware.
Figure 22: Version of the DarkGate being analyzed

The specific code segment was responsible for extracting the encrypted malware configuration (0x401 bytes in size) and storing it in a separate location (Figure 23).

The code responsible for extracting the DarkGate configuration used to deploy DarkGate malware.
Figure 23: The code responsible for extracting the DarkGate configuration

The identified malware configuration within the file is in an encrypted format, as shown below. The configuration initiates from the highlighted location at 0x45d524 and extends for 0x401 bytes up to 0x45d925 (Figure 24).

Encrypted DarkGate configuration used to deploy DarkGate malware.
Figure 24: Encrypted DarkGate configuration

Subsequently, a key is generated from the string “ckcilIcconnh” to decrypt the encrypted configuration. The key is generated by XORing each character at a specific position with the difference between the key length and the position of that character in the string (Figure 25).

The subsequent code segment decrypts the malware configuration data by XORing the first byte of the encrypted configuration with the character at the first index of the generated key (Figure 26). Subsequently, each following byte in the configuration is XORed with the character at index 3 in the generated key (Figure 27).

Decryption routine used to deploy DarkGate malware.
Figure 25: Decryption routine

We have created a DarkGate Configuration Extraction Script to streamline and automate this process, facilitating the extraction of the final configuration data.

The output generated from the execution of the script is shown below (Figure 26).

Generated output from the decryption script used to deploy DarkGate malware.
Figure 26: Generated output from the decryption script

Output from the configuration extractor:

0=persikmonkiey7drone[.]com|

8=No

11=DarkGate

12=R0ijS0qCVITtS0e6xeZ

13=6

14=Yes

15=80

1=Yes

3=Yes

4=No

18=50

6=No

7=No

19=7000

5=No

21=No

22=No

23=Yes

25=admin888

26=No

27=OJytGrNE

28=No

29=6

tabla=VfRlH1jiw}*=0G9TEOqr2ZLQ3Y4Wc](uydn$Ssvmt7C.,[JBNhXzb”kax&pFK8o5UgDA)6IM eP{

Additional Analysis

DarkGate systematically scans for a wide range of antivirus software within the environment to identify the presence of malware effectively (Figure 27). The list of AVs checked by DarkGate includes Bitdefender, AVAST, AVG, Kaspersky, ESET, Avira, Norton, Symantec, Trend Micro, McAfee, SUPER AntiSpyware, Comodo, MalwareBytes, ByteFence, Search & Destroy, 360 Total Security, Total AV, IObit Malware Fighter, Panda Security, Emsisoft, Quick Heal, F-Secure, Sophos, Windows Defender, G Data, and Nod32. The function to detect the antivirus present on the host is as follows.

The function that detects if antivirus is present used to deploy DarkGate malware.
Figure 27: The function that detects if antivirus is present

DarkGate injects shellcode into the microsoftedgeupdatecore.exe process using the following function for shellcode injection (Figure 28).

DarkGate injecting shellcode into microsoftedgeupdatecore.exe used to deploy DarkGate malware.
Figure 28: DarkGate injecting shellcode into microsoftedgeupdatecore.exe

In the above image, a segment of 0x598 bytes starting from the section_injected point is replicated into the suspended microsoftedgeupdatecore.exe process at the entry point location. Following this action, the thread is resumed to initiate the execution process.

The code to be injected into the target process (section_injection) is depicted in the image below (Figure 29).

The code which is injected into the process used to deploy DarkGate malware.
Figure 29: The code which is injected into the process

The injected shell walks the PEB to resolve WINAPIs for executing functions in the context of the microsoftedgeupdatecore.exe target process as shown in the image below. The API function names are present in the form of stack strings which are utilized in the resolution process (Figure 31).

API functions as stack strings used to deploy DarkGate malware.
Figure 30: API functions as stack strings

The image below illustrates the transfer of the section on the right (section_injected) to the entry point of the microsoftedgeupdatecore.exe process via WriteProcessMemory. Subsequently, ResumeThread is invoked to execute the previously suspended process with the newly injected data (Figure 31).

ResumeThread invoked to execute process with newly injected data used to deploy DarkGate malware.
Figure 31: ResumeThread invoked to execute process with newly injected data

The below image (Figure 32) of the call stack shows the following information during the above process: 

  • 0x390: Handle to the microsoftedgeupdatecore.exe process.
  • 0x67CF40: Address of the target process’s entry point where the shellcode is intended to be written.
  • 0x2333070: Address of the buffer within the current process to be copied.
  • 0x598: Size of the shellcode to be copied.
  • 0x300FF04: Memory location that stores the number of bytes successfully written after the call is executed.
Call stack prior to WriteProcessMemory API call used to deploy DarkGate malware.
Figure 32: Call stack prior to WriteProcessMemory API call

DarkGate possesses various capabilities, such as initiating threads and adjusting privileges. It has the capability to add SeShutdownPrivilege; in case of failure, it invokes NtRaiseHardError and triggers a Blue Screen of Death (BSOD) as a fallback action. These options are shown in the image below (Figure 33).

DarkGate capabilities used to deploy DarkGate malware.
Figure 33: DarkGate capabilities

DarkGate can emulate mouse click events, allowing it to simulate user interactions with the system through programmatically generated mouse clicks as shown in the image below (Figure 34).

DarkGate emulating mouse click events used to deploy DarkGate malware.
Figure 34: DarkGate emulating mouse click events

Another capability of DarkGate is its ability to remove itself and any dropped files or artifacts in temporary directories or other locations where it may have been deposited during its execution. This feature ensures that DarkGate can cover its tracks and leave minimal trace of its activities on the system. This feature is depicted in the image below (Figure 35).

Darkgate removing itself used to deploy DarkGate malware.
Figure 35: Darkgate removing itself

There have been newer versions of DarkGate that have not been directly observed by eSentire, though as of June 2024, the version outlined in this report continued to be observed. The new version changes the execution script from AutoIT to AutoHotKey, alongside varying delivery methods. These changes have been documented in reports from McAfee and Trellix.

How eSentire is Responding

  • eSentire MDR for Endpoint has detections in place to identify DarkGate related activity.
  • eSentire MDR for Network detects Command-and-Control (C2) connections associated with DarkGate.
  • We also performed retroactive threat hunts across our customers’ environments for known DarkGate indicators.

Recommendations from eSentire’s Threat Response Unit (TRU)

MITRE ATT&CK

MITRE ATT&CK Tactic

ID

MITRE ATT&CK Technique

Description

Reconnaissance

T1592.002

Gather Victim Host Information: Software

DarkGate identifies a large variety of anti-virus programs on the host

Initial Access

T1566.001

Phishing: Spearphishing Attachment

DarkGate is delivered in emails through PDF documents

Execution

T1204.002

User Execution: Malicious File

The user executed the initial file leading to the DarkGate infection

Defense Evasion

T1055
T1055.012

Process Injection
Process Hollowing

DarkGate performs process injection using an AutoIT script, which utilizes the EnumWindows API (Callback code execution). Additionally, DarkGate executes process hollowing by writing malicious code to the MicrosoftEdgeUpdateCore.exe process, injecting shellcode into the .text section of the suspended process before resuming execution

Defense Evasion

T1027.013

Obfuscated Files or Information: Encrypted/Encoded File

Darkgate has an XOR encrypted section within the AutoIT file which is used to retrieve the final payload

Appendix

Indicators of Compromise

Name

IOC

Download Link

hxxps[://]monitor[.]clickcease[.]com//tracker/tracker?id=qf2024tFAUFIqOrNt72&adpos=&nw=a&url=//otiunmonisky2m[.]com/?utm_content=DyhfwDxSjV&session_id=CB26j6C51PI3UtIeH6Iy&id=HRqDe&filter=rPWHSFqbMG-qBptf&lang=es&locale=US

Download Link

hxxps[://]otiunmonisky2m[.]com/?utm_content=DyhfwDxSjV&session_id=CB26j6C51PI3UtIeH6Iy&id=HRqDe&filter=rPWHSFqbMG-qBptf&lang=es&locale=US

KA-6180574967.pdf

da5304f9ee30f6f677236558adf2025f

Invoice2024021512.pdf.url:

ba2f71cbf293606259b0878e1774e36d

reader_update.zip URL

193[.]178[.]210[.]226/documents/reader_update[.]zip

reader_update.exe URL

193[.]178[.]210[.]226/documents/reader_update[.]zip/reader_update[.]exe

reader_update.zip

0bb063d129162e8c93830fdbcf2ba416

reader_update.exe

a74ae422391a22b5469135ae7f0cbf7d

AutoIt3.exe URL

hxxp[://]64[.]52[.]80[.]82/Autoit3[.]exe

script.a3x URL

hxxp[://]64[.]52[.]80[.]82/script[.]a3x

test.txt URL

hxxp[://]64[.]52[.]80[.]82/test[.]txt

AutoIt3.exe

c56b5f0201a3b3de53e561fe76912bfd

script.a3x

3a292ef66958f3a6e2684bea0d158aa3

test.txt

c845f145f64264171c729ccaa2b86301

mal.bin (Initial Shellcode Loaded in Memory)

5e1c16a9508e87147b85e368b2463e8f

mal.bin_extracted (PE File Carved from Shellcode)

28a242ae3e8c8a6d1b0ee0c59c1c9aa3

mal_encrypted.bin (XOR Encrypted Portion in A3X File)

d6adba203537023a2ae4f582d0b5e1b9

mal_dropped.bin (XOR Decrypted version of mal_encrypted.bin with fixed MZ header)

a825b1fec71bd128c16c05fbb763bc04

DarkGate C2

persikmonkiey7drone[.]com

Source: Original Post