Cyber assaults involving the DarkGate malware-as-a-service (MaaS) operation have shifted away from AutoIt scripts to an AutoHotkey mechanism to ship the final phases, underscoring continued efforts on the a part of the risk actors to constantly keep forward of the detection curve.
The updates have been noticed in model 6 of DarkGate launched in March 2024 by its developer RastaFarEye, who has been promoting this system on a subscription foundation to as many as 30 clients. The malware has been energetic since a minimum of 2018.
A totally-featured distant entry trojan (RAT), DarkGate is provided with command-and-control (C2) and rootkit capabilities, and incorporates numerous modules for credential theft, keylogging, display capturing, and distant desktop.
“DarkGate campaigns tend to adapt really fast, modifying different components to try to stay off security solutions,” Trellix safety researcher Ernesto Fernández Provecho mentioned in a Monday evaluation. “This is the first time we find DarkGate using AutoHotKey, a not so common scripting interpreter, to launch DarkGate.”
It is price noting that DarkGate’s swap to AutoHotKey was first documented by McAfee Labs in late April 2024, with assault chains leveraging safety flaws resembling CVE-2023-36025 and CVE-2024-21412 to bypass Microsoft Defender SmartScreen protections utilizing a Microsoft Excel or an HTML attachment in phishing emails.
Alternate strategies have been discovered to leverage Excel information with embedded macros as a conduit to execute a Visible Primary Script file that is chargeable for invoking PowerShell instructions to finally launch an AutoHotKey script, which, in flip, retrieves and decodes the DarkGate payload from a textual content file.
The most recent model of DarkGate packs in substantial upgrades to its configuration, evasion methods, and the listing of supported instructions, which now contains audio recording, mouse management, and keyboard administration options.
“Version 6 not only includes new commands, but also lacks some of them from previous versions, like the privilege escalation, the cryptomining, or the hVNC (Hidden Virtual Network Computing) ones,” Fernández Provecho mentioned, including it could be an effort to chop out options that might allow detection.
“Moreover, since DarkGate is sold to a small group of people, it is also possible that the customers were not interested in those features, forcing RastaFarEye to remove them.”
The disclosure comes as cyber criminals have been discovered abusing Docusign by promoting legitimate-looking customizable phishing templates on underground boards, turning the service right into a fertile floor for phishers trying to steal credentials for phishing and enterprise electronic mail compromise (BEC) scams.
“These fraudulent emails, meticulously designed to mimic legitimate document signing requests, lure unsuspecting recipients into clicking malicious links or divulging sensitive information,” Irregular Safety mentioned.
