DarkGate Malware Detection: Adversaries Exploit Microsoft Excel Files to Spread a Harmful Software Package
Table of contents:
Defenders have been observing a DarkGate malware campaign in which adversaries have taken advantage of Microsoft Excel files to spread malicious samples from publicly accessible SMB file shares. DarkGate represents a highly adaptable malicious strain, potentially stepping into the gap left by the dismantling of the notorious QakBot in late summer 2023.
Detect DarkGate Malware
Cyber attacks surged globally in 2024, with organizations experiencing an average of 1,308 attacks weekly in Q1. This marks a 28% rise from Q4 2023 and a 5% increase compared to the same period last year. With the ever-growing attack surface and continuous sophistication of infection methods, proactive detection of possible intrusions becomes a challenging task.
To stay on top of the trending threats and spot attacks in the earliest stages of development, security professionals might rely on SOC Prime’s complete product suite for AI-powered Detection Engineering, Automated Threat Hunting, and Detection Stack Validation.
Hit the Explore Detection button below and access the curated detection stack aimed at DarkGate malware detection. All the rules are compatible with 30+ SIEM, EDR, and Data Lake technologies and mapped to the MITRE ATT&CK® framework. Additionally, the detections are enriched with extensive metadata, including CTI references, attack timelines, triage recommendations, and other relevant details to streamline threat investigation.Â
DarkGate Malware Analysis
DarkGate is a malware family that emerged in the cyber threat arena in 2018. Originally, the malware operated with an advanced C2 infrastructure, further evolving into a malware-as-a-service (MaaS) offering.
DarkGate remained on the down-low until 2021. Palo Alto Networks Unit 42 researchers observed a prominent increase in the DarkGate activity beginning in early fall 2023, shortly after the multinational government disruption and takedown of the QakBot infrastructure. DarkGate campaigns shifted away from AutoIt to AutoHotkey scripts to spread malware. At the turn of 2024, DarkGate launched its sixth major version with more sophisticated capabilties.
Since August 2023, defenders have been observing a series of malicious campaigns distributing DarkGate malware via diverse methods, including tricking victims into downloading the DarkGate installer via Teams links, abusing weaponized email and PDF attachments with links to harmful ZIP archives, using DLL side-loading, exploiting HTML files, and leveraging harmful ads designed for spreading malware.
In the spring of 2024, the Unit 42 team observed a new offensive campaign weaponizing Microsoft Excel and leveraging servers with open Samba file shares to host files used for spreading DarkGate malware. Initially targeting the U.S., the campaign gradually expanded to Europe and parts of Asia. The infection chain starts by clicking a hyperlinked object for the Open button in the Excel file, which retrieves and executes content from a URL located in the archive. This URL leads to a publicly accessible Samba/SMB share hosting a VBS file. As the attack progressed, adversaries also began distributing JS files from the weaponized Samba shares.
Notably, the PowerShell scripts used throughout the infection flow attempt a detection evasion technique to enable adversaries to remain under the radar. The DarkGate malware also checks CPU data and scans for other anti-malware programs on the targeted system. It is capable of hindering detection mechanisms and disabling anti-malware software. As DarkGate advances its capabilities, its latest update includes a set of new checks to bypass anti-malware software, like Windows Defender and SentinelOne.
DarkGate’s diverse attack vectors and its evolution into a comprehensive MaaS, the continuous advancement of its offensive toolkit, and increasing efforts to bypass modern security protocols underscore the need for strengthening proactive defenses to preempt infections. Rely on SOC Prime’s Platform for collective cyber defense based on global threat intelligence, crowdsourcing, zero-trust, and AI to timely identify intrusions and preempt cyber attacks at their earliest stages.
