DarkGate, the Swiss Army knife of malware, sees boom after rival Qbot crushed

July 16, 2024 TH Author

The DarkGate malware family has become more prevalent in recent months, after one of its main competitors was taken down by the FBI.

The malware was discovered by endpoint security outfit enSilo’s security maven Adi Zeligson in 2018 – but it has evolved over the years. The most recent version, spotted by Spamhaus in late January, added new capabilities.

The software nasty, whose developer goes by the moniker RastaFarEye, can be used for everything from keylogging to data and credential theft, and even remote access – which can then be used to deploy ransomware. DarkGate infections give miscreants complete control over computers.

Infection vectors are also plentiful. Infections have been detected as a result of social engineering and phishing emails, plus DLL sideloading, poisoned content in publicly accessible file-sharing services, and compromised websites

The malware has therefore become popular among cyber crime crews – and more so in recent months. “DarkGate is one that has been big since September of last year,” Daniel Blackford, director of threat research at Proofpoint, told The Register.

Blackford’s threat-hunting team recently detected a gang it tracks as TA571 using DarkGate to gain access to more than 1,000 organizations.

14k+ campaigns using DarkGate

Proofpoint has documented 14,000 campaigns in which TA571 used DarkGate to gain access, then steal credentials and valuable data, deploy ransomware, and then sell this access to victims’ networks. The attacks also contained more than 1,300 different malware variants, we’re told.

DarkGate’s flexibility and multiple infection vectors make attribution more difficult for network defenders.

“If you have nine different activity sets using DarkGate – which is something that we’ve seen at one time – how do you know? Do you have the telemetry available to you to, with high confidence, differentiate these activity sets? It’s really hard without some good collection,” Blackford explained.

Palo Alto Networks’ Unit 42 security team has also observed a surge in DarkGate usage since September 2023.

QBot takedown gives rise to DarkGate

The timing of this increase, according to both security firms, isn’t a coincidence. It lines up with the FBI-led law enforcement effort to disrupt QBot (aka Qakbot) and that notorious botnet and malware loader’s infrastructure in August 2023.

“In the aftermath of the QBot takedown, we saw the main actor who was distributing QBot pivot to DarkGate, and then a number of other actors followed suit,” Blackford observed. “You have this follow-the-leader pattern.”

Since last August, Unit 42 also reported seeing several campaigns distributing DarkGate, which the threat intel unit says also advertises hidden virtual network computing, cryptomining, and reverse shell remote control among its malicious capabilities.

In a July 10 report, Palo Alto detailed one campaign that began in March and used Microsoft Excel files as the starting point. These files contained a URL that directed victims to a public-facing Samba/SMB file share with the goal being to trick victims into downloading DarkGate on their devices.

The attacks “mostly targeted North America in the beginning but slowly spread to Europe as well as parts of Asia,” according to Unit 42’s Vishwa Thothathri, Yijie Sui, Anmol Maurya, Uday Pratap Singh and Brad Duncan. “Our telemetry indicates some peaks of activity, with the standout on April 9, 2024, with almost 2,000 samples on that single day.”

Unit 42’s report also found evidence that “appears to have been data exfiltration in five HTTP POST requests sending nearly 218KB of data.”

Evasion expertise

DarkGate also uses several evasion techniques to avoid being detected. This includes encryption, code obfuscation, and several scans of the target environment, including checking the target’s CPU to determine whether it is running in a virtual or physical machine, thus “enabling DarkGate to cease operations to avoid being analyzed in a controlled environment,” the Unit 42 crew wrote.

They also list 26 anti-malware products that DarkGate checks to see are operating on the target machine – including Windows Defender and SentinelOne.

“With its multifaceted attack vectors and evolution into a full-fledged MaaS offering, DarkGate demonstrates a high level of complexity and persistence,” according to the security shop.

The Register suggests reading the analysis in full. It’s got great technical details and a long list of indicators of compromise that can be useful in threat hunting on your network.

It’s also worth pointing out that DarkGate and other malware campaigns continue to use phishing emails and send malicious files for one reason: because these techniques work.

So in addition to implementing a layered approach to security – including tools that block malicious messages before they reach users’ inboxes but then also detect threats post-delivery – preventing these types of attacks requires training employees about how to spot fake emails and log-in pages. ®