DarkGate
DarkGate first emerged in 2018 and has evolved into an initial access and data gathering tool associated with various criminal cyber operations. Written in Delphi and named "DarkGate" by its author, DarkGate is associated with credential theft, cryptomining, cryptotheft, and pre-ransomware actions.[1] DarkGate use increased significantly starting in 2022 and is under active development by its author, who provides it as a Malware-as-a-Service offering.[2]
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1555 | 从密码存储中获取凭证 |
DarkGate use Nirsoft Network Password Recovery or NetPass tools to steal stored RDP credentials in some malware versions.[2] |
|
| Enterprise | T1036 | 伪装 |
DarkGate can masquerade as pirated media content for initial delivery to victims.[1] |
|
| .003 | Rename System Utilities |
DarkGate executes a Windows Batch script during installation that creases a randomly-named directory in the |
||
| .007 | Double File Extension |
DarkGate masquerades malicious LNK files as PDF objects using the double extension |
||
| Enterprise | T1136 | .001 | 创建账户: Local Account |
DarkGate creates a local user account, |
| Enterprise | T1115 | 剪贴板数据 |
DarkGate starts a thread on execution that captures clipboard data and logs it to a predefined log file.[1] |
|
| Enterprise | T1574 | 劫持执行流 |
DarkGate edits the Registry key |
|
| .002 | DLL Side-Loading |
DarkGate includes one infection vector that leverages a malicious "KeyScramblerE.DLL" library that will load during the execution of the legitimate KeyScrambler application.[2] |
||
| .007 | Path Interception by PATH Environment Variable |
DarkGate overrides the |
||
| Enterprise | T1140 | 反混淆/解码文件或信息 |
DarkGate installation includes binary code stored in a file located in a hidden directory, such as |
|
| Enterprise | T1547 | .001 | 启动或登录自动启动执行: Registry Run Keys / Startup Folder |
DarkGate installation includes AutoIt script execution creating a shortcut to itself as an LNK object, such as bill.lnk, in the victim startup folder.[1] DarkGate installation finishes with the creation of a registry Run key.[1] |
| Enterprise | T1059 | .003 | 命令与脚本解释器: Windows Command Shell |
DarkGate uses a malicious Windows Batch script to run the Windows |
| .005 | 命令与脚本解释器: Visual Basic |
DarkGate initial infection mechanisms include masquerading as pirated media that launches malicious VBScript on the victim.[1] |
||
| .010 | 命令与脚本解释器: AutoHotKey & AutoIT |
DarkGate uses AutoIt scripts dropped to a hidden directory during initial installation phases, such as |
||
| Enterprise | T1562 | .001 | 妨碍防御: Disable or Modify Tools |
DarkGate will terminate processes associated with several security software products if identified during execution.[1] |
| Enterprise | T1071 | .004 | 应用层协议: DNS |
DarkGate can cloak command and control traffic in DNS records from legitimate services to avoid reputation-based detection techniques. [1] |
| Enterprise | T1010 | 应用窗口发现 |
DarkGate will search for cryptocurrency wallets by examining application window names for specific strings.[1] DarkGate extracts information collected via NirSoft tools from the hosting process's memory by first identifying the window through the |
|
| Enterprise | T1480 | 执行保护 |
DarkGate uses per-victim links for hosting malicious archives, such as ZIP files, in services such as SharePoint to prevent other entities from retrieving them.[2] |
|
| Enterprise | T1486 | 数据加密以实现影响 | ||
| Enterprise | T1001 | 数据混淆 |
DarkGate will retrieved encrypted commands from its command and control server for follow-on actions such as cryptocurrency mining.[1] |
|
| Enterprise | T1083 | 文件和目录发现 |
Some versions of DarkGate search for the hard-coded folder |
|
| Enterprise | T1552 | 未加密凭证 |
DarkGate uses NirSoft tools to steal user credentials from the infected machine.[1] NirSoft tools are executed via process hollowing in a newly-created instance of vbc.exe or regasm.exe. |
|
| Enterprise | T1106 | 本机API |
DarkGate uses the native Windows API |
|
| Enterprise | T1027 | 混淆文件或信息 |
DarkGate uses a hard-coded string as a seed, along with the victim machine hardware identifier and input text, to generate a unique string used as an internal mutex value to evade static detection based on mutexes.[2] |
|
| .013 | Encrypted/Encoded File |
DarkGate drops an encrypted PE file, pe.bin, and decrypts it during installation.[1] DarkGate also uses custom base64 encoding schemas in later variations to obfuscate payloads.[2] |
||
| Enterprise | T1548 | .002 | 滥用权限提升控制机制: Bypass User Account Control |
DarkGate uses two distinct User Account Control (UAC) bypass techniques to escalate privileges.[1] |
| Enterprise | T1204 | .002 | 用户执行: Malicious File |
DarkGate initial infection payloads can masquerade as pirated media content requiring user interaction for code execution.[1] DarkGate is distributed through phishing links to VBS or MSI objects requiring user interaction for execution.[2] |
| Enterprise | T1614 | 系统位置发现 |
DarkGate queries system locale information during execution.[1] Later versions of DarkGate query |
|
| Enterprise | T1082 | 系统信息发现 |
DarkGate uses the Delphi methods |
|
| Enterprise | T1490 | 系统恢复抑制 |
DarkGate can delete system restore points through the command |
|
| Enterprise | T1124 | 系统时间发现 |
DarkGate creates a log file for capturing keylogging, clipboard, and related data using the victim host's current date for the filename.[1] DarkGate queries victim system epoch time during execution.[1] DarkGate captures system time information as part of automated profiling on initial installation.[2] |
|
| Enterprise | T1569 | .002 | 系统服务: Service Execution |
DarkGate tries to elevate privileges to |
| Enterprise | T1119 | 自动化收集 |
DarkGate searches for stored credentials associated with cryptocurrency wallets and notifies the command and control server when identified.[1] |
|
| Enterprise | T1583 | .001 | 获取基础设施: Domains |
DarkGate command and control includes hard-coded domains in the malware chosen to masquerade as legitimate services such as Akamai CDN or Amazon Web Services.[2] |
| Enterprise | T1497 | .001 | 虚拟化/沙盒规避: System Checks |
DarkGate queries system resources on an infected machine to identify if it is executing in a sandbox or virtualized environment.[1] |
| Enterprise | T1134 | .004 | 访问令牌操控: Parent PID Spoofing |
DarkGate relies on parent PID spoofing as part of its "rootkit-like" functionality to evade detection via Task Manager or Process Explorer.[2] |
| Enterprise | T1622 | 调试器规避 |
DarkGate checks the |
|
| Enterprise | T1657 | 财务窃取 |
DarkGate can deploy payloads capable of capturing credentials related to cryptocurrency wallets.[1] |
|
| Enterprise | T1098 | .007 | 账号操控: Additional Local or Domain Groups |
DarkGate elevates accounts created through the malware to the local administration group during execution.[1] |
| Enterprise | T1496 | .001 | 资源劫持: Compute Hijacking |
DarkGate can deploy follow-on cryptocurrency mining payloads.[1] |
| Enterprise | T1518 | .001 | 软件发现: Security Software Discovery |
DarkGate looks for various security products by process name using hard-coded values in the malware. DarkGate will not execute its keylogging thread if a process name associated with Trend Micro anti-virus is identified, or if runtime checks identify the presence of Kaspersky anti-virus. DarkGate will initiate a new thread if certain security products are identified on the victim, and recreate any malicious files associated with it if it determines they were removed by security software in a new system location.[1] |
| Enterprise | T1105 | 输入工具传输 |
DarkGate retrieves cryptocurrency mining payloads and commands in encrypted traffic from its command and control server.[1] DarkGate uses Windows Batch scripts executing the |
|
| Enterprise | T1056 | .001 | 输入捕获: Keylogging |
DarkGate will spawn a thread on execution to capture all keyboard events and write them to a predefined log file.[1] |
| Enterprise | T1057 | 进程发现 |
DarkGate performs various checks for running processes, including security software by looking for hard-coded process name values.[1] |
|
| Enterprise | T1055 | .012 | 进程注入: Process Hollowing |
DarkGate leverages process hollowing techniques to evade detection, such as decrypting the content of an encrypted PE file and injecting it into the process vbc.exe.[1] |
| Enterprise | T1041 | 通过C2信道渗出 |
DarkGate uses existing command and control channels to retrieve captured cryptocurrency wallet credentials.[1] |
|
| Enterprise | T1566 | .001 | 钓鱼: Spearphishing Attachment |
DarkGate can be distributed through emails with malicious attachments from a spoofed email address.[1] |
| .002 | 钓鱼: Spearphishing Link |
DarkGate is distributed in phishing emails containing links to distribute malicious VBS or MSI files.[2] DarkGate uses applications such as Microsoft Teams for distributing links to payloads.[2] |
||
| Enterprise | T1564 | .001 | 隐藏伪装: Hidden Files and Directories |
DarkGate initial installation involves dropping several files to a hidden directory named after the victim machine name.[1] |
| Enterprise | T1665 | 隐藏基础设施 |
DarkGate command and control includes hard-coded domains in the malware masquerading as legitimate services such as Akamai CDN or Amazon Web Services.[2] |
|
Campaigns
| ID | Name | Description |
|---|---|---|
| C0037 | Water Curupira Pikabot Distribution |
Water Curupira Pikabot Distribution activity included distribution of DarkGate en route to ransomware execution.[3] |
References
- Adi Zeligson & Rotem Kerner. (2018, November 13). Enter The DarkGate - New Cryptocurrency Mining and Ransomware Campaign. Retrieved February 9, 2024.
- Ernesto Fernández Provecho, Pham Duy Phuc, Ciana Driscoll & Vinoo Thomas. (2023, November 21). The Continued Evolution of the DarkGate Malware-as-a-Service. Retrieved February 9, 2024.