Cybersecurity researchers shed light on the short-lived DarkGate A malware company that used Samba file shares to initiate the infection.
Palo Alto Networks Unit 42 said the activity spanned March and April 2024, with the infection chains using servers running public Samba file shares hosting Visual Basic Script (VBS) and JavaScript files. The targets were North America, Europe and parts of Asia.
“This was a relatively short campaign that shows how threat actors can creatively abuse legitimate tools and services to spread their malware,” security researchers Vishwa Totatri, Yidi Sui, Anmol Maura, Uday Pratap Singh and Brad Duncan said.
DarkGate which appeared for the first time in 2018, May developed into a malware-as-a-service (MaaS) offering that is used by a tightly controlled number of customers. It comes with the capabilities to remotely control hacked nodes, execute code, mine cryptocurrency, launch shellbacks, and crash additional payloads.
Malware attacks have become particularly common in recent months following the fallout demonstration of multinational law enforcement agencies QakBot infrastructure in August 2023.
The campaign, documented by Unit 42, begins with Microsoft Excel (.xlsx) files that, when opened, prompt targets to click an embedded “Open” button, which in turn retrieves and runs VBS code located on a Samba share.
The PowerShell script is configured to receive and execute a PowerShell script, which is then used to download the AutoHotKey-based DarkGate package.
Alternative sequences using JavaScript files instead of VBS are no different in that they are also designed to load and run the following PowerShell script.
DarkGate works by scanning various anti-malware programs and checking CPU information to determine whether it is running on a physical host or in a virtual environment, allowing it to interfere with analysis. It also checks running host processes to determine the presence of reverse engineering tools, debuggers, or virtualization software.
“DarkGate C2 traffic uses unencrypted HTTP requests, but the data is obfuscated and appears as Base64-encoded text,” the researchers said.
“As DarkGate continues to evolve and refine its methods of penetration and resistance to analysis, it remains a powerful reminder of the need for robust and proactive cybersecurity protections.”
