Follow
Summary
DarkGate is a Delphi-based loader sold as Malware-as-a-Service on criminal markets. It includes full RAT functionality, dynamic API resolution, and layered evasion tricks such as custom base64 character sets, Union-API–style syscall loading, and APC injection. The tool, attributed to the seller “RastaFarEye,” has been adopted by actors like TA577 and Ducktail. It communicates with C2 over HTTP with obfuscated payloads and can deploy remote desktop utilities, steal Discord tokens, and run an interactive reverse shell.
DarkGate Malware Analysis
The publication delivers an in-depth reverse-engineering walkthrough of the DarkGate executable, explaining its bespoke configuration scrambling, XOR-driven BotID generation, and encrypted logging. It catalogs the loader’s persistence techniques, privilege escalation paths, token-theft workflows, and abuse of legitimate binaries such as PsExec and Extexport for DLL side loading. The write-up further documents C2 communication patterns, default hVNC credentials, and the typical HTTP ports leveraged (2351 and 9999).
Mitigation
Blue teams should watch for creation of the referenced files and registry Run entries, immediately invalidate or block the default hVNC credentials, and detect PsExec and Extexport being used for unapproved DLL loading. Behavioral analytics should cover Union-API syscall usage, APC injection via NtTestAlert, and parent-PID spoofing. Network defenses can flag odd HTTP ports and attempt to decode DarkGate’s custom base64 alphabets to surface C2 traffic.
Response
Once DarkGate activity is confirmed, isolate the affected endpoint, harvest the documented artefacts, kill malicious processes, and clean all persistence footholds. Rotate any exposed credentials and block known C2 domains and IP ranges. A thorough forensic review should identify any secondary payloads and verify that all DLLs introduced through Extexport or related loaders have been eradicated.
Attack Flow
Detections
Detection of APC Injection via NtQueueApcThread and NtTestAlert in DarkGate [Windows Sysmon]
View
DarkGate Malware Command Execution and Privilege Escalation Detection [Windows Process Creation]
View
IOCs (HashMd5) to detect: DarkGate Internals
View
IOCs (HashSha256) to detect: DarkGate Internals
View
Suspicious AutoHotKey and AutoIT Execution From Unusual Location (via process creation)
View
Possible Persistence Points [ASEPs – Software/NTUSER Hive] (via registry_event)
View
Simulation Execution
Prerequisite: The Telemetry & Baseline Pre‑flight Check must have passed.
-
Attack Narrative & Commands:
The simulated adversary has already infiltrated the endpoint and seeks to establish persistent RDP access. First, they harvest credentials by storing them withcmdkey, then usepsexec.exeto move laterally, and finally launch a PowerShell payload that drops a key‑logger stub. Each step is designed to generate the exact process‑creation events the detection rule monitors.- Credential Harvesting (T1552.001) – Store a crafted credential entry that matches the rule’s
selection_cmdkeypattern. - Lateral Movement (T1219) – Execute
psexec.exeagainst a remote host, invoking a command that spawns a new PowerShell session. - PowerShell Execution (T1059.001) – Run a PowerShell command that loads a malicious script (simulated here with a base64‑encoded harmless command).
- Keylogger Deployment (T1056.001) – Compile and run a tiny C binary that calls
GetAsyncKeyState, generating theAPIfield match.
- Credential Harvesting (T1552.001) – Store a crafted credential entry that matches the rule’s
-
Regression Test Script:
# DarkGate Simulation Script – PowerShell # -------------------------------------------------- # 1. Cmdkey credential entry (matches detection pattern) $generic = '""' # empty generic as used by DarkGate $user = 'SafeMode' # user name the rule expects $pass = 'darkgatepassword0' # password the rule expects cmd.exe /c cmdkey /generic:$generic /user:$user /pass:$pass # 2. PsExec lateral movement (binary must exist in PATH or specify full path) $remoteHost = '10.0.0.5' $psexecPath = "$env:SystemRoot\System32\psexec.exe" if (Test-Path $psexecPath) { & $psexecPath \\$remoteHost -accepteula cmd /c "whoami" } else { Write-Host "PsExec not found at $psexecPath – skipping this step." } # 3. PowerShell execution (base64‑encoded harmless command) $psCommand = 'Write-Output \"PowerShell payload executed\"' $encoded = [Convert]::ToBase64String([Text.Encoding]::Unicode.GetBytes($psCommand)) powershell.exe -EncodedCommand $encoded # 4. Keylogger stub compilation & execution $cSource = @" #include <windows.h> int main() { // Simple call to GetAsyncKeyState to satisfy the API match GetAsyncKeyState(VK_RETURN); return 0; } "@ $srcPath = "$env:TEMP\keylog_stub.c" $exePath = "$env:TEMP\keylog_stub.exe" $cSource | Set-Content -Path $srcPath -Encoding ASCII # Compile with Visual C++ (cl.exe must be in PATH) cl.exe /nologo /O2 /Fe:$exePath $srcPath if (Test-Path $exePath) { & $exePath } -
Cleanup Commands:
# Remove credential entry cmd.exe /c cmdkey /delete:$generic # Delete temporary files Remove-Item -Force -ErrorAction SilentlyContinue "$env:TEMP\keylog_stub.c" Remove-Item -Force -ErrorAction SilentlyContinue "$env:TEMP\keylog_stub.exe" # Optional: terminate any stray psexec or powershell processes launched by the script Get-Process -Name psexec, powershell -ErrorAction SilentlyContinue | Stop-Process -Force