Emulating the Ever-Evolving Loader DarkGate

AttackIQ has released three new attack graphs that seek to emulate the Tactics, Techniques and Procedures (TTPs) associated with and exhibited by the infamous loader known as DarkGate during its activities in 2023. Read More

DarkGate is a commodity loader written in Borland Delphi that was first identified in 2018 and has been advertised under the Malware-as-a-Service (MaaS) business model on popular cybercrime forums since June 2023.

It has a wide range of capabilities, such as the ability to download and execute files in memory, environment reconnaissance and information gathering, privilege escalation, remote access software deployment, and a Hidden Virtual Network Computing (HVNC) module.

The typical infection chain usually involves the use of a Windows installation file (MSI) or a Visual Basic script (VBS) which, upon successful execution, deploys an AutoIT Script that hosts the loader responsible for deploying DarkGate.

Since 2023, the malware was observed being distributed via Microsoft Teams chat messages sent from two compromised external Office 365 accounts. Days later, an additional access vector was observed, which employed Search Engine Optimization (SEO) Poisoning, a method aimed at deceiving users into visiting malicious websites by exploiting search engine ranking systems.

AttackIQ has released three new attack graphs that seek to emulate the capabilities exhibited by this malware during its 2023 activities with the aim of helping customers validate their security controls and their ability to defend against this sophisticated threat.

Validating your security program performance against these behaviors is vital to reducing risk. By using these new attack graphs in the AttackIQ Security Optimization Platform, security teams will be able to:

  • Evaluate the performance of security controls against a widely distributed and highly sophisticated threat.
  • Assess your security posture against the Tactics, Techniques, and Procedures (TTPs) associated to DarkGate.
  • Continuously validate detection and prevention channels against an ever-evolving threat that does not discriminate in its objectives. 

DarkGate – 2023-09 – Teams and Skype Phishing Ends in Reconnaissance Campaign

DarkGate Attack Graph - Teams and Skype (Full)(Click for Larger)

Since July 2023, Telekom, TrueSec and TrendMicro reported  multiple DarkGate-related activities that abused instant messaging platforms such as Microsoft Teams and Skype.

In addition, an additional method was observed, which involved Search Engine Optimization (SEO) Poisoning, a technique designed to deceive users into visiting malicious websites by manipulating the ranking systems of search engines.

These activities involved the utilization of either a Windows Installer file (MSI) or a Visual Basic Script (VBS) which, upon successful execution, deploys an AutoIT Script that hosts the loader responsible for deploying the final payload.

DarkGate Attack Graph - Teams and Skype (Stage 1)(Click for Larger)

This first stage begins with the download and saving of a ZIP file which contains a malicious shortcut file (LNK). The LNK file, which poses as a PDF document, contains a command that will download a Visual Basic Script (VBS) when opened. Finally, this VBS will then be executed using CScript.

Ingress Tool Transfer (T1105): This scenario downloads to memory and saves to disk in two separate scenarios to test network and endpoint controls and their ability to prevent the delivery of known malicious files.

Command and Scripting Interpreter: Windows Command Shell (T1059.003): This scenario will validate if it is possible to execute a JavaScript file via cscript.exe.

DarkGate Attack Graph - Teams and Skype (Stage 2)(Click for Larger)

At this stage, the download and saving of the pre-compiled AutoIT script used by DarkGate will be performed. This will then be followed by adding the utilized directory to the Windows Defender exclusions list to avoid detection. Lastly, the AU3 script will be executed using the process hollowing technique.

Impair Defenses: Disable or Modify Tools (T1562.001): This scenario will execute the Add-MpPreference PowerShell cmdlet to add the %TEMP%\aiq-temp-exclusion\ directory path to the exclusion list in Microsoft Defender.

Process Injection: Process Hollowing (T1055.012): This scenario creates a process in a suspended state and unmaps its memory, which is then replaced with the contents of a malicious executable. In this way, code execution is masked under a legitimate process.

DarkGate Attack Graph - Teams and Skype (Stage 3)(Click for Larger)

In this stage, the adversary will seek to ensure persistence by creating a new registry run key. Subsequently, it will make modifications to the remote desktop configuration, specifically the anti-alias and security settings, via the registry.

Logon Autostart Execution: Registry Run Keys (T1547.001): This scenario sets the HKLM\Software\Microsoft\Windows\CurrentVersion\Run and RunOnce registry keys that Windows uses to identify what applications should be run at system startup.

Modify Registry (T1112): The HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Terminal Services\DisableRemoteDesktopAntiAlias registry value is modified to disable the remote desktop anti-alias setting.

Modify Registry (T1112): The HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Terminal Services\DisableSecuritySettings registry value is modified to disable remote desktop security settings.

DarkGate Attack Graph - Teams and Skype (Stage 4)(Click for Larger)

This stage focuses on the discovery of information related to the local environment of the compromised system. During these activities, the adversary acquires information about the system, its hardware, its location, available files and directories, security software, running processes and network configuration.

Finally, the collected information will be exfiltrated to the adversary’s infrastructure.

Query Registry (T1012): The HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ registry key is queried to collect information related to the system’s processor.

System Information Discovery (T1082): The native systeminfo command is executed to discover the basic details about the compromised system.

Query Registry (T1012): The HKCU\Software\Microsoft\Windows\CurrentVersion registry key contains information about Windows properties for the user accessing that registry key.

System Information Discovery (T1082): This scenario executes the GetComputerNameA Windows API to retrieve a NetBIOS name associated to the compromised system.

System Location Discovery (T1614): This scenario executes the GetUserDefaultLocaleName and GetuserDefaultLCID Windows APIs to retrieve the location of the compromised system.

Peripheral Device Discovery (T1120): This scenario executes the GetDriveTypeA Windows API to discover the drive type of the compromised system.

File and Directory Discovery (T1083): This scenario uses the native dir command to find files of interest and output to a temporary file.

Security Software Discovery (T1518.001): A native Microsoft Windows Windows Management Instrumentation Command (WMIC) is executed to determine which software has been installed as an AntiVirusProduct class.

System Network Configuration Discovery (T1016): Native Window’s commands such as route, ipconfig, and net use are executed to collect details about the infected host and network shares.

Process Discovery (T1057): This scenario executes the Window’s built-in tasklist command to discover running processes on the compromised system.

Browser Bookmark Discovery (T1217): This scenario executes a PowerShell script that will iterate through each user profile on the system and attempt to flush the data from the WebCache log files back to the WebCacheV01 database using the esentutl utility. Once the data has been flushed, a copy of the database will be made to a temporary directory.

Exfiltration Over C2 Channel (T1041): Files are sent to an AttackIQ controlled server using HTTP POST requests.

DarkGate Attack Graph - Teams and Skype (Stage 5)(Click for Larger)

In the last stage of the attack, DarkGate will seek to move laterally to additional systems available on the network via Remote Desktop Protocol (RDP).

Then, it will attempt to create an account on each of the systems to ensure persistence. As a last step, it will delete Volume Shadow Copies via vssadmin.exe.

Remote Services: Remote Desktop Protocol (T1021.001): This scenario attempts to use Remote Desktop to move laterally to additional hosts available on the compromised network.

Create Account: Local Account (T1136.001): This scenario will create a new local account using net user to ensure persistence on the newly compromised systems.

Inhibit System Recovery (T1490): This scenario executes the vssadmin.exe utility to delete a recently created Volume Shadow Copy.

DarkGate – 2023-11 – Drive-by Download Culminates in DanaBot Deployment

DarkGate Attack Graph - Drive-by Download (Full)(Click for Larger)

Since August 2023, eSentire researchers observed cases of infection against the financial and manufacturing sectors involving the DarkGate malware. These activities, which were facilitated through Drive-by Downloads, began with the delivery of a loader, disguised as fake installers and document reports, that led to the execution of an AutoIt script.

DarkGate Attack Graph - Drive-by Download (Stage 1)(Click for Larger)

This first stage begins with the download and saving of a ZIP file which contains a malicious Visual Basic Script (VBS) which is used to retrieve a Microsoft Installer (MSI) from one of the attacker-controlled servers. The MSI file will be then executed using the msiexec.exe utility.

System Binary Proxy Execution: Msiexec (T1218.007): This scenario executes a Windows Installer Package (MSI) using the msiexec.exe utility.

DarkGate Attack Graph - Drive-by Download (Stage 2)(Click for Larger)

At this stage, the download and saving of the pre-compiled AutoIT script used by DarkGate will be performed. This will then be followed by adding the utilized directory to the Windows Defender exclusions list to avoid detection. Finally, the attacker acquires persistence in the system through the startup folder.

Logon Autostart Execution: Startup Folder (T1547.001): The Startup folder is a directory associated with the Windows Start Menu that can be used to launch a process at Windows logon. This scenario creates a LNK file in this directory that would execute at the next Logon for all users.

DarkGate Attack Graph - Drive-by Download (Stage 3)(Click for Larger)

This stage focuses on the discovery of information related to the local environment of the compromised system. During these activities, the adversary acquires information about the system, its hardware, its location, available files and directories, security software, running processes and network configuration.

Finally, the collected information will be exfiltrated to the adversary’s infrastructure.

DarkGate Attack Graph - Drive-by Download (Stage 4)(Click for Larger)

The last stage begins by dropping DanaBot, a Malware-as-a-Service (MaaS) focused on credential theft and banking fraud, which is executed through the Process Hollowing technique. In case of failure, DarkGate will resort to Process Injection to ensure execution.

Finally, DanaBot uses the Parent PID Spoofing technique whereby the adversary launches a new process as if it were spawned by a legitimate process.

Process Injection (T1055): This scenario injects a DLL file into another running process and validates if a canary file can be created.

Access Token Manipulation: Parent PID Spoofing (T1134.004): This scenario calls the CreateProcess Windows API which allows it to specify which parent process should be responsible for this new process. Actors leverage this technique to make their malware appear to be executed as a normal process under legitimate Microsoft processes.

DarkGate – 2023-11 – Fake Invoice Email Leads to Full Intrusion Chain

DarkGate Attack Graph - Fake Invoice (Full)(Click for Larger)

During November 2023, an infection chain associated with the malware known as DarkGate was observed by   which started with a fake invoice email delivering a PDF document that contained a DocuSign template used to lure the victim into opening a document for review.

Once the user clicks on the fake document, a CAB file is downloaded. The CAB file contains an Internet shortcut that, once executed, downloads an MSI file to the infected machine. The MSI file contains a whole chain of loading mechanisms that, upon execution, deploy an AutoIT Script that hosts the Delphi-based loader responsible for deploying the final payload.

DarkGate Attack Graph - Fake Invoice (Stage 1)(Click for Larger)

The first stage starts immediately after the downloading of a PDF file that, once executed, downloads a Cabinet File (CAB). The CAB file contains an Internet shortcut that is used to download a Microsoft Installer (MSI) file to the compromised system, which is then executed using the Process Injection technique.

DarkGate Attack Graph - Fake Invoice (Stage 2)(Click for Larger)

This stage begins with the saving of a DLL called dbgeng.dll, which is dropped by the previously downloaded CAB file. This DLL, which is executed using the DLL Side-Loading technique, carries out the task of decoding a piece of information which turns out to be an AutoIT script.

This will then be followed by adding the utilized directory to the Windows Defender exclusions list to avoid detection and culminates with the saving of a Delphi-based loader on the system, which will be responsible for deploying the DarkGate malware.

Hijack Execution Flow: DLL Side-Loading (T1574.002): This scenario bundles a DLL with a Windows executable that is susceptible to DLL Side-Loading to execute malicious code.

DarkGate Attack Graph - Fake Invoice (Stage 3)(Click for Larger)

In the third stage of the attack, the adversary will seek to ensure persistence by creating a new registry run key. Subsequently, it will make modifications to the remote desktop configuration, specifically the anti-alias and security settings, via the registry.

DarkGate Attack Graph - Fake Invoice (Stage 4)(Click for Larger)

This stage focuses on the discovery of information related to the local environment of the compromised system. During these activities, the adversary acquires information about the system, its hardware, its location, available files and directories, security software, running processes and network configuration.

Finally, the collected information will be exfiltrated to the adversary’s infrastructure.

DarkGate Attack Graph - Fake Invoice (Stage 5)(Click for Larger)

In the last stage of the attack, DarkGate will seek to move laterally to additional systems available on the network via Remote Desktop Protocol (RDP).

Then, it will attempt to create an account on each of the systems to ensure persistence. As a last step, it will delete Volume Shadow Copies via vssadmin.exe.

Detection and Mitigation Opportunities

With so many different techniques used by DarkGate’s operators, it can be difficult to know which to prioritize for prevention and detection assessment. AttackIQ recommends first focusing on the following techniques emulated in our scenarios before moving on to the remaining techniques.

1. Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder (T1546.001):

Preventing an actor from maintaining a foothold in your environment should always be one of the top priorities. During these activities, the adversary used registry keys to achieve persistence.

1a. Detection

Using a Security Information and Event Management (SIEM) or Endpoint Detection and Response (EDR) Platform to see modifications to the Run and RunOnce keys will alert when unauthorized users or software makes modifications to the keys that allow programs to run after startup.

Process Name = reg.exe
Command Line CONTAINS (“ADD” AND “\CurrentVersion\Run”)

1b. Mitigation

MITRE ATT&CK does not have any direction mitigations as this is abusing legitimate Windows functionality. They recommend monitoring registry changes and process execution that may attempt to add these keys.

2. Process Injection (T1055):

Malware will commonly inject malicious code into legitimate running processes to attempt to blend in with legitimate applications to remain hidden and appear normal to the compromised system.

2a. Detection

Searching for common processes that are performing uncommon actions can help identify when a process has been compromised.

2b. Mitigation

MITRE ATT&CK recommends the following mitigation recommendations:

3. Hijack Execution Flow: DLL Side-Loading (T1574.002):

Malware will commonly use side-loading to load malicious code into legitimate running processes to attempt to blend in with legitimate applications to remain hidden and appear normal to the compromised system.

3a. Detection

Searching for common processes that are performing uncommon actions can help identify when a process has been compromised. Searching for newly constructed processes or monitoring for DLL/PE file events, specifically for the creation and loading of DLLs into running processes can help identify when a system process has been compromised.

3b. Mitigation

MITRE ATT&CK recommends the following mitigation recommendations:

4. Inhibit System Recovery (T1490):

Adversaries often delete Volume Shadow Copies to prevent the possibility of restoring files back to their original state. This is a common technique used by ransomware as it prevents the recovery of files once the ransomware encryption routine successfully completes execution.

4a. Detection

Detecting deletion of Volume Shadow Copies is usually the first step that occurs and can be detected by looking at the command line activity

Process Name == (cmd.exe OR powershell.exe)
Command Line CONTAINS (“vssadmin” AND “Delete Shadows”)

4b. Mitigation

MITRE ATT&CK has the following mitigation recommendations for Inhibit System Recovery

Wrap-up

In summary, this attack graph will evaluate security and incident response processes and support the improvement of your security control posture against a highly sophisticated and constantly evolving threat. With data generated from continuous testing and use of these attack graphs, you can focus your teams on achieving key security outcomes, adjust your security controls, and work to elevate your total security program effectiveness against a known and dangerous threat.

AttackIQ stands at the ready to help security teams implement this assessment template and other aspects of the AttackIQ Security Optimization Platform, including through our fully managed service, AttackIQ Ready!, and our co-managed security service, AttackIQ Enterprise.