Threat actors used Microsoft Excel files to spread the DarkGate malware in North America, Europe and Asia through publicly accessible SMB file shares in a campaign from March to April 2024.
The DarkGate malware was first reported in 2018 and gained prominence after the disruption of Qakbot’s infrastructure in August 2023.
Researchers observed via telemetry data that the activity peaked on April 9, 2024, with nearly 2000 samples detected daily.
The malicious Excel files used in this campaign featured distinctive naming patterns designed to appear official or important. These include:
- paper-<NUM>-<DD>-march-2024.xlsx
- march-D<NUM>-2024.xlsx
- ACH-<NUM>-<DD>March.xlsx
- attach#<NUM>-<<DATE>.xlsx
- 01 CT John Doe.xlsx (replace John Doe with any English name)
- april2024-<NUM>.xlsx
- statapril2024-<<NUM>.xlsx
The use of such filenames was a deliberate social engineering tactic aimed at enticing users to open the files, believing them to be legitimate documents.
The campaign primarily used spear-phishing emails to distribute malicious Excel files. These emails were crafted to appear legitimate, often mimicking business communication.
The attack chain begins when unsuspecting users open the malicious Excel files. Upon clicking the Open button, a URL is embedded in the spreadsheet’s drawing.xml.rels file is triggered, pointing to a publicly accessible SMB share hosting a malicious script.
Once the user’s device is connected to the SMB network protocol, malicious scripts start fetching and executing. The VBS files contained extensive junk code related to printer drivers but also included scripts that fetched and executed PowerShell commands.
Similarly, researchers also discovered JavaScript files from the campaign performing identical functions, downloading and executing PowerShell scripts.
The PowerShell scripts typically downloaded three files essential for launching the DarkGate package, which is AutoHotKey-based. Researchers observed an interesting evasion technique in which the PowerShell scripts checked for the presence of Kaspersky anti-malware software, adapting their behaviour to its existence.
“We find an example of a PowerShell script that checks if Kaspersky anti-malware software is installed by detecting if the directory C:/ProgramData/Kaspersky Lab exists. If this directory exists, the PowerShell script downloads the legitimate AutoHotKey.exe, possibly as an evasion tactic to avoid triggering Kaspersky anti-malware,” note researchers.
One of the advanced anti-analysis techniques employed by threat actors involved checking the CPU of the targeted systems. This check helped determine whether the malware was running in a virtual environment or on a physical machine, and it ceased operations if it detected a virtual environment to avoid analysis.
DarkGate also scanned for various anti-malware programs, identifying installed software to avoid detection or disabling them. This included checks for popular anti-malware programs like Windows Defender, Bitdefender, Avast, AVG, Kaspersky, Eset-Nod32, Avira, Norton, Symantec, Trend Micro, McAfee, SUPERAntiSpyware, Comodo, Malwarebytes, ByteFence, Search & Destroy, 360 Total Security, Total AV, IObit Malware Fighter, Panda Security, Emsisoft, Quick Heal, F-Secure, Sophos, G DATA, and SentinelOne.
The malware scanned the host’s running processes to identify malware analysis tools and virtual machine indicators. Identifying these processes enabled DarkGate to take appropriate actions to avoid detection or hinder analysis.
Researchers observed that DarkGate’s configuration data, encrypted using XOR keys, included numerous fields influencing its behaviours. Further analysis revealed multiple XOR keys for samples with the same campaign identifiers, potentially as an anti-analysis measure.
The configuration data description routine received an encrypted buffer, buffer size, and a hard-coded XOR key as inputs. This process created a new decryption key and decrypted the configuration buffer, revealing details like campaign identifiers and c2 server values.
DarkGate’s C2 traffic involved encrypted HTTP requests with Bae64-encoded and further obfuscated data. When researchers analysed these requests, it indicated a possible data exfiltration and revealed connections to follow-up malware such as Danabot.
“While we’ve seen indicators of data exfiltration from DarkGate C2 traffic, other sources have reported follow-up malware from DarkGate like Danabot. Furthermore, threat actors reportedly using the DarkGate MaaS have previously been associated with ransomware activity,” researchers report.
Researchers urge organisations and individuals to employ advanced endpoint security measures and to avoid clicking on emails only after verifying the sender.
In the News: Apple issues spyware warnings to iPhone users in 98 countries
