The NJCCIC observed a DarkGate malware campaign being deployed via malicious software installers embedded in phishing email attachments. Threat actors were also observed exploiting the Windows Defender SmartScreen vulnerability (CVE-2024-21412). DarkGate is a remote access trojan (RAT) within the Malware-as-a-Service (MaaS) model, allowing threat actors to purchase and deploy the variant. These emails included Microsoft Excel attachments (.XLSX) that contain an “Open” button image linked to a VBScript on an SMB share. If the image is clicked and warnings are accepted, a remote VBS is executed. The VBS then initiates the download of various files using PowerShell, including a hex- encoded AutoHotkey executable which is decoded to execute DarkGate. DarkGate’s command and control (C2) infrastructure includes irreceiver[.]com and 103[.]114[.]162[.]75.

DarkGate has been known to impact critical infrastructure and is capable of providing remote access, keylogging, sandbox evasion, and deploying subsequent malware in the victim’s environment memory. While not necessarily attributed to any one sophisticated threat actor group, the malware has used similar tactics, techniques, and procedures (TTPs) to the group 0ktapus, aka Scattered Spider, and has been deployed by TA571, TA577, and the ransomware groups BianLian and BlackBasta.

Recommendations

• Avoid clicking links and opening attachments in unsolicited emails.
• Confirm requests from senders via contact information obtained from verified and
  official sources.
• Type official website URLs into browsers manually.
• Facilitate user awareness training to include these types of phishing-based techniques.
• Consider blocking port 445/SMB at the external firewall. In theory, blocking this
  connection will halt the execution of DarkGate if it cannot download its own install
  scripts.
• If your organization does not use Autohotkey, do not allow this executable to run in the
  environment.
• Maintain robust and up-to-date endpoint detection tools on every endpoint.
• Consider leveraging behavior-based detection tools rather than signature-based tools.
• This activity can be reported to the FBI’s IC3 and NJCCIC.

For any further questions, contact us here at Cyber Command.