DarkGate’s New Trick: Spreading Trojans through Public Samba Shares
Specialists from Palo Alto Networks’ Unit 42 have uncovered the DarkGate campaign, which leverages Samba file resources to disseminate a trojan. This activity was observed in March and April 2024, when DarkGate utilized publicly accessible Samba servers hosting VBS and JavaScript files. The attacks targeted users in North America, Europe, and Asia.
The DarkGate malware, first detected in 2018, operates on a MaaS (Malware-as-a-Service) model for a limited clientele. DarkGate features remote management of infected hosts, code execution, cryptocurrency mining, reverse shell initiation, and delivery of additional payloads. In recent months, attacks involving DarkGate have surged following an international operation in August 2023, where law enforcement dismantled the QakBot infrastructure.
The detected DarkGate campaign begins with the distribution of Microsoft Excel (.xlsx) files via email, which prompt the user to click an “Open” button upon opening. Clicking the button executes VBS code hosted on Samba, which then downloads a PowerShell script from a C2 server, ultimately delivering the DarkGate package based on AutoHotKey. Alternative scenarios use JavaScript instead of VBS to download and execute the subsequent PowerShell script.
One of DarkGate’s anti-analysis methods includes identifying the target system’s CPU. The trojan checks whether it is running in a virtual environment or on a physical host. This verification allows it to cease operation to evade analysis in a controlled environment. The malware also inspects running processes on the host to detect reverse engineering tools, debuggers, or virtualization software.
In addition to CPU information checks, DarkGate scans the system for various other anti-malware programs. By identifying installed security software, DarkGate can avoid detection mechanisms or even disable them to prevent further analysis. The command and control (C2) traffic employs unencrypted HTTP requests, but the data is obfuscated and presented as Base64-encoded text. Specialists emphasized that DarkGate continues to evolve, refining its infiltration and resistance techniques, serving as a stark reminder of the necessity for robust and proactive cybersecurity measures.
