Cybersecurity researchers have shed light on a short-lived DarkGate malware campaign that leveraged Samba file shares to initiate the infections.

Palo Alto Networks Unit 42 said the activity spanned the months of March and April 2024, with the infection chains using servers running public-facing Samba file shares hosting Visual Basic Script (VBS) and JavaScript files. Targets included North America, Europe, and parts of Asia.

"This was a relatively short-lived campaign that illustrates how threat actors can creatively abuse legitimate tools and services to distribute their malware," security researchers Vishwa Thothathri, Yijie Sui, Anmol Maurya, Uday Pratap Singh, and Brad Duncan said.

Cybersecurity

DarkGate, which first emerged in 2018, has evolved into a malware-as-a-service (MaaS) offering used by a tightly controlled number of customers. It comes with capabilities to remotely control compromised hosts, execute code, mine cryptocurrency, launch reverse shells, and drop additional payloads.

Attacks involving the malware have particularly witnessed a surge in recent months in the aftermath of the multinational law enforcement takedown of the QakBot infrastructure in August 2023.

The campaign documented by Unit 42 commences with Microsoft Excel (.xlsx) files that, when opened, urge targets to click on an embedded Open button, which, in turn, fetches and runs VBS code hosted on a Samba file share.

The PowerShell script is configured to retrieve and execute a PowerShell script, which is then used to download an AutoHotKey-based DarkGate package.

Alternate sequences using JavaScript files instead of VBS are no different in that they are also engineered to download and run the follow-up PowerShell script.

Cybersecurity

DarkGate works by scanning for various anti-malware programs and checking the CPU information to determine if it's running on a physical host or a virtual environment, thereby allowing it to hinder analysis. It also examines the host's running processes to determine the presence of reverse engineering tools, debuggers, or virtualization software.

"DarkGate C2 traffic uses unencrypted HTTP requests, but the data is obfuscated and appears as Base64-encoded text," the researchers said.

"As DarkGate continues to evolve and refine its methods of infiltration and resistance to analysis, it remains a potent reminder of the need for robust and proactive cybersecurity defenses."

The disclosure comes as Proofpoint revealed that a spam distributor tracked as TA571 used DarkGate as part of a global campaign that attempted to infiltrate over 1,000 organizations, and sell the access to other attackers for follow-on exploitation.

"The attack spanned across 14,000 campaigns and contained more than 1,300 different malware variants," the enterprise security firm said. "DarkGate acted as an initial access broker (IAB). The intent was to gain unauthorized access to an organization’s networks, systems and users’ credentials to exfiltrate data or deploy ransomware.


Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.