Stealthy DarkGate 6.6 Malware Evades Detection, Delivered via Phishing

SonicWall specialists have uncovered a new wave of phishing attacks disseminating the DarkGate malware. Threat actors are employing PDF files masquerading as invoices to infect victims’ computers.

This campaign is aimed at propagating the DarkGate RAT Trojan, which has been actively utilized since 2018 and is distributed under the Malware-as-a-Service (MaaS) model. The latest version, DarkGate 6.6, boasts a multitude of perilous capabilities, such as circumventing virtual machines and antivirus software, delaying execution, and process spoofing, rendering this iteration exceedingly difficult to detect and eradicate.

In the campaign under scrutiny, the malicious PDF file takes the guise of an invoice dated June 26, 2024, and features a download button that redirects the victim to a compromised website to download a malicious VBScript file.

The VBScript is heavily obfuscated: function and variable names are encrypted, and voluminous comments impede code comprehension. The malware stores compressed data within comments at the end of the VBScript and extracts it using regular expressions. Subsequently, the Trojan launches a compiled AutoIt3 (AU3) script, which executes further commands to download DarkGate.

The malware commences its operation by initializing version “6.6” and loading the requisite DLL libraries. DarkGate then initializes encryption keys for subsequent data manipulation. These keys are generated based on unique system identifiers (product ID and processor name).

Furthermore, DarkGate employs sophisticated techniques to evade antivirus software. The malware scans for the presence of over 20 popular antivirus programs and modifies its behavior based on the detected security measures. If a specific antivirus program is identified on the system, DarkGate sets corresponding flags and adapts to circumvent the protection.

In the event of a test environment detection, such as the presence of the file “c:\temp\test.txt,” the malware automatically terminates its operation, a feature that can also be utilized to prevent infection.

Moreover, DarkGate collects and transmits a plethora of data from the compromised machine to a command-and-control server, including the active window, system uptime, administrator status, and DarkGate version. Communication with the C2 server is conducted via HTTP or HTTPS, depending on the configuration.

To thwart detection and analysis, DarkGate employs various encryption and code obfuscation techniques, rendering it exceedingly challenging to analyze and remove. The malware supports the execution of over 65 distinct commands, encompassing the launch of additional malicious programs, data collection, and the execution of attacks on the victim’s system.

One of the commands also extracts a ransom note and delivers the payload of a ransomware program. The note is placed in the “C:\temp” directory, followed by the execution of the ransomware binary.

Users are advised to exercise extreme caution with files received via email and to always verify the authenticity of sources to avoid infection. Cybersecurity professionals continue to work diligently to detect and neutralize such threats.