DarkGate
DarkGate first emerged in 2018 and has evolved into an initial access and data gathering tool associated with various criminal cyber operations. Written in Delphi and named "DarkGate" by its author, DarkGate is associated with credential theft, cryptomining, cryptotheft, and pre-ransomware actions.[1] DarkGate use increased significantly starting in 2022 and is under active development by its author, who provides it as a Malware-as-a-Service offering.[2]
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1548 | .002 | Abuse Elevation Control Mechanism: Bypass User Account Control |
DarkGate uses two distinct User Account Control (UAC) bypass techniques to escalate privileges.[1] |
| Enterprise | T1134 | .004 | Access Token Manipulation: Parent PID Spoofing |
DarkGate relies on parent PID spoofing as part of its "rootkit-like" functionality to evade detection via Task Manager or Process Explorer.[2] |
| Enterprise | T1098 | .007 | Account Manipulation: Additional Local or Domain Groups |
DarkGate elevates accounts created through the malware to the local administration group during execution.[1] |
| Enterprise | T1583 | .001 | Acquire Infrastructure: Domains |
DarkGate command and control includes hard-coded domains in the malware chosen to masquerade as legitimate services such as Akamai CDN or Amazon Web Services.[2] |
| Enterprise | T1071 | .004 | Application Layer Protocol: DNS |
DarkGate can cloak command and control traffic in DNS records from legitimate services to avoid reputation-based detection techniques. [1] |
| Enterprise | T1010 | Application Window Discovery |
DarkGate will search for cryptocurrency wallets by examining application window names for specific strings.[1] DarkGate extracts information collected via NirSoft tools from the hosting process's memory by first identifying the window through the |
|
| Enterprise | T1119 | Automated Collection |
DarkGate searches for stored credentials associated with cryptocurrency wallets and notifies the command and control server when identified.[1] |
|
| Enterprise | T1547 | .001 | Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder |
DarkGate installation includes AutoIt script execution creating a shortcut to itself as an LNK object, such as bill.lnk, in the victim startup folder.[1] DarkGate installation finishes with the creation of a registry Run key.[1] |
| Enterprise | T1115 | Clipboard Data |
DarkGate starts a thread on execution that captures clipboard data and logs it to a predefined log file.[1] |
|
| Enterprise | T1059 | .003 | Command and Scripting Interpreter: Windows Command Shell |
DarkGate uses a malicious Windows Batch script to run the Windows |
| .005 | Command and Scripting Interpreter: Visual Basic |
DarkGate initial infection mechanisms include masquerading as pirated media that launches malicious VBScript on the victim.[1] |
||
| .010 | Command and Scripting Interpreter: AutoHotKey & AutoIT |
DarkGate uses AutoIt scripts dropped to a hidden directory during initial installation phases, such as |
||
| Enterprise | T1136 | .001 | Create Account: Local Account |
DarkGate creates a local user account, |
| Enterprise | T1555 | Credentials from Password Stores |
DarkGate use Nirsoft Network Password Recovery or NetPass tools to steal stored RDP credentials in some malware versions.[2] |
|
| Enterprise | T1486 | Data Encrypted for Impact | ||
| Enterprise | T1001 | Data Obfuscation |
DarkGate will retrieved encrypted commands from its command and control server for follow-on actions such as cryptocurrency mining.[1] |
|
| Enterprise | T1622 | Debugger Evasion |
DarkGate checks the |
|
| Enterprise | T1140 | Deobfuscate/Decode Files or Information |
DarkGate installation includes binary code stored in a file located in a hidden directory, such as |
|
| Enterprise | T1480 | Execution Guardrails |
DarkGate uses per-victim links for hosting malicious archives, such as ZIP files, in services such as SharePoint to prevent other entities from retrieving them.[2] |
|
| Enterprise | T1041 | Exfiltration Over C2 Channel |
DarkGate uses existing command and control channels to retrieve captured cryptocurrency wallet credentials.[1] |
|
| Enterprise | T1083 | File and Directory Discovery |
Some versions of DarkGate search for the hard-coded folder |
|
| Enterprise | T1657 | Financial Theft |
DarkGate can deploy payloads capable of capturing credentials related to cryptocurrency wallets.[1] |
|
| Enterprise | T1564 | .001 | Hide Artifacts: Hidden Files and Directories |
DarkGate initial installation involves dropping several files to a hidden directory named after the victim machine name.[1] |
| Enterprise | T1665 | Hide Infrastructure |
DarkGate command and control includes hard-coded domains in the malware masquerading as legitimate services such as Akamai CDN or Amazon Web Services.[2] |
|
| Enterprise | T1574 | Hijack Execution Flow |
DarkGate edits the Registry key |
|
| .002 | DLL Side-Loading |
DarkGate includes one infection vector that leverages a malicious "KeyScramblerE.DLL" library that will load during the execution of the legitimate KeyScrambler application.[2] |
||
| .007 | Path Interception by PATH Environment Variable |
DarkGate overrides the |
||
| Enterprise | T1562 | .001 | Impair Defenses: Disable or Modify Tools |
DarkGate will terminate processes associated with several security software products if identified during execution.[1] |
| Enterprise | T1105 | Ingress Tool Transfer |
DarkGate retrieves cryptocurrency mining payloads and commands in encrypted traffic from its command and control server.[1] DarkGate uses Windows Batch scripts executing the |
|
| Enterprise | T1490 | Inhibit System Recovery |
DarkGate can delete system restore points through the command |
|
| Enterprise | T1056 | .001 | Input Capture: Keylogging |
DarkGate will spawn a thread on execution to capture all keyboard events and write them to a predefined log file.[1] |
| Enterprise | T1036 | Masquerading |
DarkGate can masquerade as pirated media content for initial delivery to victims.[1] |
|
| .003 | Rename System Utilities |
DarkGate executes a Windows Batch script during installation that creases a randomly-named directory in the |
||
| .007 | Double File Extension |
DarkGate masquerades malicious LNK files as PDF objects using the double extension |
||
| Enterprise | T1106 | Native API |
DarkGate uses the native Windows API |
|
| Enterprise | T1027 | Obfuscated Files or Information |
DarkGate uses a hard-coded string as a seed, along with the victim machine hardware identifier and input text, to generate a unique string used as an internal mutex value to evade static detection based on mutexes.[2] |
|
| .013 | Encrypted/Encoded File |
DarkGate drops an encrypted PE file, pe.bin, and decrypts it during installation.[1] DarkGate also uses custom base64 encoding schemas in later variations to obfuscate payloads.[2] |
||
| Enterprise | T1566 | .001 | Phishing: Spearphishing Attachment |
DarkGate can be distributed through emails with malicious attachments from a spoofed email address.[1] |
| .002 | Phishing: Spearphishing Link |
DarkGate is distributed in phishing emails containing links to distribute malicious VBS or MSI files.[2] DarkGate uses applications such as Microsoft Teams for distributing links to payloads.[2] |
||
| Enterprise | T1057 | Process Discovery |
DarkGate performs various checks for running processes, including security software by looking for hard-coded process name values.[1] |
|
| Enterprise | T1055 | .012 | Process Injection: Process Hollowing |
DarkGate leverages process hollowing techniques to evade detection, such as decrypting the content of an encrypted PE file and injecting it into the process vbc.exe.[1] |
| Enterprise | T1496 | .001 | Resource Hijacking: Compute Hijacking |
DarkGate can deploy follow-on cryptocurrency mining payloads.[1] |
| Enterprise | T1518 | .001 | Software Discovery: Security Software Discovery |
DarkGate looks for various security products by process name using hard-coded values in the malware. DarkGate will not execute its keylogging thread if a process name associated with Trend Micro anti-virus is identified, or if runtime checks identify the presence of Kaspersky anti-virus. DarkGate will initiate a new thread if certain security products are identified on the victim, and recreate any malicious files associated with it if it determines they were removed by security software in a new system location.[1] |
| Enterprise | T1082 | System Information Discovery |
DarkGate uses the Delphi methods |
|
| Enterprise | T1614 | System Location Discovery |
DarkGate queries system locale information during execution.[1] Later versions of DarkGate query |
|
| Enterprise | T1569 | .002 | System Services: Service Execution |
DarkGate tries to elevate privileges to |
| Enterprise | T1124 | System Time Discovery |
DarkGate creates a log file for capturing keylogging, clipboard, and related data using the victim host's current date for the filename.[1] DarkGate queries victim system epoch time during execution.[1] DarkGate captures system time information as part of automated profiling on initial installation.[2] |
|
| Enterprise | T1552 | Unsecured Credentials |
DarkGate uses NirSoft tools to steal user credentials from the infected machine.[1] NirSoft tools are executed via process hollowing in a newly-created instance of vbc.exe or regasm.exe. |
|
| Enterprise | T1204 | .002 | User Execution: Malicious File |
DarkGate initial infection payloads can masquerade as pirated media content requiring user interaction for code execution.[1] DarkGate is distributed through phishing links to VBS or MSI objects requiring user interaction for execution.[2] |
| Enterprise | T1497 | .001 | Virtualization/Sandbox Evasion: System Checks |
DarkGate queries system resources on an infected machine to identify if it is executing in a sandbox or virtualized environment.[1] |
Campaigns
| ID | Name | Description |
|---|---|---|
| C0037 | Water Curupira Pikabot Distribution |
Water Curupira Pikabot Distribution activity included distribution of DarkGate en route to ransomware execution.[3] |
References
- Adi Zeligson & Rotem Kerner. (2018, November 13). Enter The DarkGate - New Cryptocurrency Mining and Ransomware Campaign. Retrieved February 9, 2024.
- Ernesto Fernández Provecho, Pham Duy Phuc, Ciana Driscoll & Vinoo Thomas. (2023, November 21). The Continued Evolution of the DarkGate Malware-as-a-Service. Retrieved February 9, 2024.