Introduction
In the beginning of 2024, eSentire’s Threat Response Unit (TRU) observed an increase in DarkGate malware infections. DarkGate is a commodity loader initially discovered in 2018 but has seen success through multiple iterations over the past six years. The loader is delivered through a variety of methods, including Microsoft Teams chat messages with attached Zip archives containing script files, Visual Basic Scripts (VBS) embedded in external Skype messages, phishing links, malvertising campaigns, and fake browser updates.
DarkGate has been observed loading multiple different pieces of malware over the years, including Danabot and SocGholish. The malware has previously utilized AutoIt for loading and has abused CVE-2024-21412 (CVSS:8.1), an Internet Shortcut File (LNK) security feature bypass vulnerability.
We extensively covered DarkGate in our TRU Threat Intelligence Briefing in September 2023 and in November 2023, we published a TRU Positive on Danabot leading to the deployment of DarkGate.
Initial Infection Analysis
In early 2024, eSentire’s TRU team received a quarantined malicious email for analysis. The subject line indicated that the email, masquerading as an invoice, originated externally (Figure 1).
The email included a PDF attachment named KA-6180574967.pdf (Figure 2).
Upon opening the PDF file, the user is met with a deceptive Chrome error page, urging them to download the file to view its contents (Figure 3).
The download link leads to a malicious URL with a ClickCease monitor in the initial segment, which is a Google-certified click-tracking service. The second part of the URL corresponds to the actual monitored destination where the user is redirected (Figure 4).
The final website initiates the download of an invoice themed Zip archive (Figure 5).
Upon extracting the contents of the Zip archive, the user encounters a malicious Internet Shortcut (URL) file masquerading as an invoice PDF document (Figure 6).
The URL file is configured to download and execute a malicious Portable Executable (PE) file named reader_update.exe, which masquerades as Adobe Reader (Figure 7).
In the analysis process, the Zip archive was downloaded, and contents were extracted to acquire the PE file
(Figure 8).
Upon analysis it was discovered that the fake Adobe update file was a compiled AutoIT script in the executable format.
DarkGate Malware Analysis
Upon execution, this PE file carries out the following actions (Figure 9):
- Creates a directory at C:test
- Downloads three files (AutoIt3.exe, script.a3x, and test.txt) into this folder
- Executes Autoit3.exe with the argument script.a3x
These files were manually downloaded for additional analysis (Figure 10).
Upon analysis of the files, it was discovered that:
- AutoIt3.exe was the legitimate AutoIt3 executable
- test.txt contained text data
- script.a3x was a compiled AutoIT script
- Decompiling the script using myAutToExe revealed an obfuscated AutoIT script
- The initial portion of the script opened test.txt, split its contents by character, and utilized concatenation to set a variable value across multiple lines (Figure 11)
The subsequent section of the script prepared the groundwork for payload execution (Figure 12).
The script file utilized characters from the test.txt file based on their positions (Figure 13).
We have developed a script to simplify the analysis of the obfuscated script file. The script replaces the variable data with static content sourced from the test.txt file, enhancing visual clarity.
After simplifying the obfuscated script using the provided Python script, it becomes evident that the first part of the code is dedicated to constructing the shellcode payload (Figure 14).
The second part of the code involves configuring data structures, adjusting memory protection for specific regions, and using a callback function within Windows API calls to execute code injection. The payload generated and executed is 46340 bytes in size.
API callback injection is a technique where a callback function is registered with a Windows API function, such as EnumWindows, and this function is executed when a particular event or condition is met. By passing a function pointer (callback function) to the API, the system calls this function at the appropriate time during the execution of the API function. In the context of code injection, malicious code or shellcode can be executed by manipulating the callback mechanism to point to the desired code instead of a legitimate function pointer, enabling an attacker to gain unauthorized access or perform malicious actions within the target process’s address space. This method leverages the functionality of Windows API callbacks to stealthily inject and execute code, bypassing typical detection mechanisms and posing a significant security risk if exploited maliciously (Figure 15).
After conducting additional cleanup operations, the cleaned shellcode was successfully extracted and saved for further analysis (Figure 16).
Upon examination of the file in a hex editor, it was observed that the shellcode contains an MZ header. Subsequently, the PE file was extracted from the shellcode and saved separately for analysis (Figure 17).
Upon inspecting the file, it was determined that the program was compiled in Delphi. Consequently, the program was examined in a decompiler for additional analysis.
After performing further analysis, we were able to identify that a section of the code refers to the script.a3x file while searching for the string “OJytGrNE” (Figure 18).
Upon searching for this string in the hex editor, two instances of “OJytGrNE” were found, with one instance located at the end of the script (Figure 19).
The second instance was near the top of the script. Another noteworthy observation during the review of this section was the frequent repetition of the characters “CDq” (Figure 20).
An educated assumption led us to extract the portion of the file bounded by the string “OJytGrNE” and apply an XOR operation with the key “CDq” because of its repetitive pattern. The output is a PE file with a distorted MZ header (M replaced by I), which can be rectified manually (Figure 21).
When opened in a decompiler, an interesting string “6.1.9” was noted in the Delphi-compiled file, potentially indicating the version of the malware (Figure 22).
The specific code segment was responsible for extracting the encrypted malware configuration (0x401 bytes in size) and storing it in a separate location (Figure 23).
The identified malware configuration within the file is in an encrypted format, as shown below. The configuration initiates from the highlighted location at 0x45d524 and extends for 0x401 bytes up to 0x45d925 (Figure 24).
Subsequently, a key is generated from the string “ckcilIcconnh” to decrypt the encrypted configuration. The key is generated by XORing each character at a specific position with the difference between the key length and the position of that character in the string (Figure 25).
The subsequent code segment decrypts the malware configuration data by XORing the first byte of the encrypted configuration with the character at the first index of the generated key (Figure 26). Subsequently, each following byte in the configuration is XORed with the character at index 3 in the generated key (Figure 27).
We have created a DarkGate Configuration Extraction Script to streamline and automate this process, facilitating the extraction of the final configuration data.
The output generated from the execution of the script is shown below (Figure 26).
Output from the configuration extractor:
0=persikmonkiey7drone[.]com|
8=No
11=DarkGate
12=R0ijS0qCVITtS0e6xeZ
13=6
14=Yes
15=80
1=Yes
3=Yes
4=No
18=50
6=No
7=No
19=7000
5=No
21=No
22=No
23=Yes
25=admin888
26=No
27=OJytGrNE
28=No
29=6
tabla=VfRlH1jiw}*=0G9TEOqr2ZLQ3Y4Wc](uydn$Ssvmt7C.,[JBNhXzb”kax&pFK8o5UgDA)6IM eP{
Additional Analysis
DarkGate systematically scans for a wide range of antivirus software within the environment to identify the presence of malware effectively (Figure 27). The list of AVs checked by DarkGate includes Bitdefender, AVAST, AVG, Kaspersky, ESET, Avira, Norton, Symantec, Trend Micro, McAfee, SUPER AntiSpyware, Comodo, MalwareBytes, ByteFence, Search & Destroy, 360 Total Security, Total AV, IObit Malware Fighter, Panda Security, Emsisoft, Quick Heal, F-Secure, Sophos, Windows Defender, G Data, and Nod32. The function to detect the antivirus present on the host is as follows.
DarkGate injects shellcode into the microsoftedgeupdatecore.exe process using the following function for shellcode injection (Figure 28).
In the above image, a segment of 0x598 bytes starting from the section_injected point is replicated into the suspended microsoftedgeupdatecore.exe process at the entry point location. Following this action, the thread is resumed to initiate the execution process.
The code to be injected into the target process (section_injection) is depicted in the image below (Figure 29).
The injected shell walks the PEB to resolve WINAPIs for executing functions in the context of the microsoftedgeupdatecore.exe target process as shown in the image below. The API function names are present in the form of stack strings which are utilized in the resolution process (Figure 31).
The image below illustrates the transfer of the section on the right (section_injected) to the entry point of the microsoftedgeupdatecore.exe process via WriteProcessMemory. Subsequently, ResumeThread is invoked to execute the previously suspended process with the newly injected data (Figure 31).
The below image (Figure 32) of the call stack shows the following information during the above process:
- 0x390: Handle to the microsoftedgeupdatecore.exe process.
- 0x67CF40: Address of the target process’s entry point where the shellcode is intended to be written.
- 0x2333070: Address of the buffer within the current process to be copied.
- 0x598: Size of the shellcode to be copied.
- 0x300FF04: Memory location that stores the number of bytes successfully written after the call is executed.
DarkGate possesses various capabilities, such as initiating threads and adjusting privileges. It has the capability to add SeShutdownPrivilege; in case of failure, it invokes NtRaiseHardError and triggers a Blue Screen of Death (BSOD) as a fallback action. These options are shown in the image below (Figure 33).
DarkGate can emulate mouse click events, allowing it to simulate user interactions with the system through programmatically generated mouse clicks as shown in the image below (Figure 34).
Another capability of DarkGate is its ability to remove itself and any dropped files or artifacts in temporary directories or other locations where it may have been deposited during its execution. This feature ensures that DarkGate can cover its tracks and leave minimal trace of its activities on the system. This feature is depicted in the image below (Figure 35).
There have been newer versions of DarkGate that have not been directly observed by eSentire, though as of June 2024, the version outlined in this report continued to be observed. The new version changes the execution script from AutoIT to AutoHotKey, alongside varying delivery methods. These changes have been documented in reports from McAfee and Trellix.
How eSentire is Responding
- eSentire MDR for Endpoint has detections in place to identify DarkGate related activity.
- eSentire MDR for Network detects Command-and-Control (C2) connections associated with DarkGate.
- We also performed retroactive threat hunts across our customers’ environments for known DarkGate indicators.
Recommendations from eSentire’s Threat Response Unit (TRU)
MITRE ATT&CK
MITRE ATT&CK Tactic |
ID |
MITRE ATT&CK Technique |
Description |
Reconnaissance |
T1592.002 |
Gather Victim Host Information: Software |
DarkGate identifies a large variety of anti-virus programs on the host |
Initial Access |
T1566.001 |
Phishing: Spearphishing Attachment |
DarkGate is delivered in emails through PDF documents |
Execution |
T1204.002 |
User Execution: Malicious File |
The user executed the initial file leading to the DarkGate infection |
Defense Evasion |
T1055 |
Process Injection |
DarkGate performs process injection using an AutoIT script, which utilizes the EnumWindows API (Callback code execution). Additionally, DarkGate executes process hollowing by writing malicious code to the MicrosoftEdgeUpdateCore.exe process, injecting shellcode into the .text section of the suspended process before resuming execution |
Defense Evasion |
T1027.013 |
Obfuscated Files or Information: Encrypted/Encoded File |
Darkgate has an XOR encrypted section within the AutoIT file which is used to retrieve the final payload |
Appendix
Indicators of Compromise
Name |
IOC |
Download Link |
hxxps[://]monitor[.]clickcease[.]com//tracker/tracker?id=qf2024tFAUFIqOrNt72&adpos=&nw=a&url=//otiunmonisky2m[.]com/?utm_content=DyhfwDxSjV&session_id=CB26j6C51PI3UtIeH6Iy&id=HRqDe&filter=rPWHSFqbMG-qBptf&lang=es&locale=US |
Download Link |
hxxps[://]otiunmonisky2m[.]com/?utm_content=DyhfwDxSjV&session_id=CB26j6C51PI3UtIeH6Iy&id=HRqDe&filter=rPWHSFqbMG-qBptf&lang=es&locale=US |
KA-6180574967.pdf |
da5304f9ee30f6f677236558adf2025f |
Invoice2024021512.pdf.url: |
ba2f71cbf293606259b0878e1774e36d |
reader_update.zip URL |
193[.]178[.]210[.]226/documents/reader_update[.]zip |
reader_update.exe URL |
193[.]178[.]210[.]226/documents/reader_update[.]zip/reader_update[.]exe |
reader_update.zip |
0bb063d129162e8c93830fdbcf2ba416 |
reader_update.exe |
a74ae422391a22b5469135ae7f0cbf7d |
AutoIt3.exe URL |
hxxp[://]64[.]52[.]80[.]82/Autoit3[.]exe |
script.a3x URL |
hxxp[://]64[.]52[.]80[.]82/script[.]a3x |
test.txt URL |
hxxp[://]64[.]52[.]80[.]82/test[.]txt |
AutoIt3.exe |
c56b5f0201a3b3de53e561fe76912bfd |
script.a3x |
3a292ef66958f3a6e2684bea0d158aa3 |
test.txt |
c845f145f64264171c729ccaa2b86301 |
mal.bin (Initial Shellcode Loaded in Memory) |
5e1c16a9508e87147b85e368b2463e8f |
mal.bin_extracted (PE File Carved from Shellcode) |
28a242ae3e8c8a6d1b0ee0c59c1c9aa3 |
mal_encrypted.bin (XOR Encrypted Portion in A3X File) |
d6adba203537023a2ae4f582d0b5e1b9 |
mal_dropped.bin (XOR Decrypted version of mal_encrypted.bin with fixed MZ header) |
a825b1fec71bd128c16c05fbb763bc04 |
DarkGate C2 |
persikmonkiey7drone[.]com |
Source: Original Post