Name Darkgate Type of Malware Cryptocurrency mining, crypto stealing, ransomware Date of initial activity 2017 Associated Groups Golroted. Motivation Ransomware attack, credential stealing, remote-access takeovers, and cryptomining Attack Vectors Torrent files Targeted System Windows devices mainly in Europe
Overview
Darkgate is a multifunction malware active since December 2017 which combines ransomware, credential stealing, and RAT and cryptomining abilities. Targeting mostly the Windows OS, DarkGate employs a variety of evasion techniques.
Targets
Mainly used to attack companies that specialize in finance, consumer goods, and energy. It is also used to attack the manufacturing industry.
Tools/ Techniques Used
DarkGate malware is capable of avoiding detection by several AV products, and of executing multiple payloads including cryptocurrency mining, crypto stealing, ransomware, and the ability to remotely take control of the endpoint. One of the unique techniques used by the DarkGate malware lies within its multi-stage unpacking method. The first file executed is an obfuscated VBScript file, which functions as a dropper and performs several actions. The torrent files, according to enSilo’s blog post are responsible for distributing this malware are disguised as famous entertainment offerings such as The Walking Dead and Campeones, etc. However, actually, these files execute infected VBscripts on the victim’s computer. After infecting the machine, the malware first interacts with the C&C server to initiate the mining process and later it performs several other attacks.
The critical elements of the DarkGate malware are that it:
Leverages a C&C infrastructure cloaked in legitimate DNS records from legitimate services, including Akamai CDN and AWS, which helps it avoid reputation-based detection techniques
Uses multiple methods for avoiding detection by traditional AV using vendor-specific checks and actions, including the use of the process hollowing technique
Has the ability to evade the elimination of critical files by several known recovery tools
Uses two distinct User Account Control (UAC) bypass techniques to escalate privileges
Is capable of detonating multiple payloads with capabilities that include cryptocurrency mining, crypto stealing (theft of credentials associated with crypto wallets), ransomware, and remote control
Indicators of Compromise (IoCs)
DOMAINS
akamai.la
hardwarenet.cc
ec2-14-122-45-127.compute-1.amazonaws.cdnprivate.tel
awsamazon.cc
battlenet.la
a40-77-229-13.deploy.static.akamaitechnologies.pw
SAMPLE HASHES
3340013b0f00fe0c9e99411f722f8f3f0baf9ae4f40ac78796a6d4d694b46d7b
0c3ef20ede53efbe5eebca50171a589731a17037147102838bdb4a41c33f94e5
3340013b0f00fe0c9e99411f722f8f3f0baf9ae4f40ac78796a6d4d694b46d7b
0c3ef20ede53efbe5eebca50171a589731a17037147102838bdb4a41c33f94e5
52c47a529e4ddd0778dde84b7f54e1aea326d9f8eeb4ba4961a87835a3d29866
b0542a719c6b2fc575915e9e4c58920cf999ba5c3f5345617818a9dc14a378b4
dadd0ec8806d506137889d7f1595b3b5447c1ea30159432b1952fa9551ecfba5
c88eab30fa03c44b567bcb4e659a60ee0fe5d98664816c70e3b6e8d79169cbea
2264c2f2c2d5a0d6d62c33cadb848305a8fff81cdd79c4d7560021cfb304a121
3c68facf01aede7bcd8c2aea853324a2e6a0ec8b026d95c7f50a46d77334c2d2
a146f84a0179124d96a707f192f4c06c07690e745cffaef521fcda9633766a44
abc35bb943462312437f0c4275b012e8ec03899ab86d353143d92cbefedd7f9d
908f2dfed6c122b46e946fe8839feb9218cb095f180f86c43659448e2f709fc7
3491bc6df27858257db26b913da8c35c83a0e48cf80de701a45a30a30544706d
References
The post Darkgate ( Ransomware ) – Malware first appeared on CyberMaterial.