DarkGate first emerged in 2018 and has evolved into an initial access and data gathering tool associated with various criminal cyber operations. Written in Delphi and named "DarkGate" by its author, DarkGate is associated with credential theft, cryptomining, cryptotheft, and pre-ransomware actions.[1] DarkGate use increased significantly starting in 2022 and is under active development by its author, who provides it as a Malware-as-a-Service offering.[2]

ID: S1111
Platforms: Windows
Contributors: Serhii Melnyk, Trustwave SpiderLabs
Version: 1.0
Created: 09 February 2024
Last Modified: 01 April 2024

Techniques Used

Domain ID Name Use
Enterprise T1548 .002 Abuse Elevation Control Mechanism: Bypass User Account Control

DarkGate uses two distinct User Account Control (UAC) bypass techniques to escalate privileges.[1]

Enterprise T1134 .004 Access Token Manipulation: Parent PID Spoofing

DarkGate relies on parent PID spoofing as part of its "rootkit-like" functionality to evade detection via Task Manager or Process Explorer.[2]

Enterprise T1098 Account Manipulation

DarkGate elevates accounts created through the malware to the local administration group during execution.[1]

Enterprise T1583 .001 Acquire Infrastructure: Domains

DarkGate command and control includes hard-coded domains in the malware chosen to masquerade as legitimate services such as Akamai CDN or Amazon Web Services.[2]

Enterprise T1071 .004 Application Layer Protocol: DNS

DarkGate can cloak command and control traffic in DNS records from legitimate services to avoid reputation-based detection techniques. [1]

Enterprise T1010 Application Window Discovery

DarkGate will search for cryptocurrency wallets by examining application window names for specific strings.[1] DarkGate extracts information collected via NirSoft tools from the hosting process's memory by first identifying the window through the FindWindow API function.[1]

Enterprise T1119 Automated Collection

DarkGate searches for stored credentials associated with cryptocurrency wallets and notifies the command and control server when identified.[1]

Enterprise T1547 .001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder

DarkGate installation includes AutoIt script execution creating a shortcut to itself as an LNK object, such as bill.lnk, in the victim startup folder.[1] DarkGate installation finishes with the creation of a registry Run key.[1]

Enterprise T1115 Clipboard Data

DarkGate starts a thread on execution that captures clipboard data and logs it to a predefined log file.[1]

Enterprise T1059 .003 Command and Scripting Interpreter: Windows Command Shell

DarkGate uses a malicious Windows Batch script to run the Windows code utility to retrieve follow-on script payloads.[2]

.005 Command and Scripting Interpreter: Visual Basic

DarkGate initial infection mechanisms include masquerading as pirated media that launches malicious VBScript on the victim.[1]

.010 Command and Scripting Interpreter: AutoHotKey & AutoIT

DarkGate uses AutoIt scripts dropped to a hidden directory during initial installation phases, such as test.au3.[1]

Enterprise T1136 .001 Create Account: Local Account

DarkGate creates a local user account, SafeMode, via net user commands.[1]

Enterprise T1555 Credentials from Password Stores

DarkGate use Nirsoft Network Password Recovery or NetPass tools to steal stored RDP credentials in some malware versions.[2]

Enterprise T1486 Data Encrypted for Impact

DarkGate can deploy follow-on ransomware payloads.[1]

Enterprise T1001 Data Obfuscation

DarkGate will retrieved encrypted commands from its command and control server for follow-on actions such as cryptocurrency mining.[1]

Enterprise T1622 Debugger Evasion

DarkGate checks the BeingDebugged flag in the PEB structure during execution to identify if the malware is being debugged.[2]

Enterprise T1140 Deobfuscate/Decode Files or Information

DarkGate installation includes binary code stored in a file located in a hidden directory, such as shell.txt, that is decrypted then executed.[1] DarkGate uses hexadecimal-encoded shellcode payloads during installation that are called via Windows API CallWindowProc() to decode and then execute.[2]

Enterprise T1480 Execution Guardrails

DarkGate uses per-victim links for hosting malicious archives, such as ZIP files, in services such as SharePoint to prevent other entities from retrieving them.[2]

Enterprise T1041 Exfiltration Over C2 Channel

DarkGate uses existing command and control channels to retrieve captured cryptocurrency wallet credentials.[1]

Enterprise T1083 File and Directory Discovery

Some versions of DarkGate search for the hard-coded folder C:\Program Files\e Carte Bleue.[1]

Enterprise T1657 Financial Theft

DarkGate can deploy payloads capable of capturing credentials related to cryptocurrency wallets.[1]

Enterprise T1564 .001 Hide Artifacts: Hidden Files and Directories

DarkGate initial installation involves dropping several files to a hidden directory named after the victim machine name.[1]

Enterprise T1665 Hide Infrastructure

DarkGate command and control includes hard-coded domains in the malware masquerading as legitimate services such as Akamai CDN or Amazon Web Services.[2]

Enterprise T1574 Hijack Execution Flow

DarkGate edits the Registry key HKCU\Software\Classes\mscfile\shell\open\command to execute a malicious AutoIt script.[1] When eventvwr.exe is executed, this will call the Microsoft Management Console (mmc.exe), which in turn references the modified Registry key.

.002 DLL Side-Loading

DarkGate includes one infection vector that leverages a malicious "KeyScramblerE.DLL" library that will load during the execution of the legitimate KeyScrambler application.[2]

.007 Path Interception by PATH Environment Variable

DarkGate overrides the %windir% environment variable by setting a Registry key, HKEY_CURRENT_User\Environment\windir, to an alternate command to execute a malicious AutoIt script. This allows DarkGate to run every time the scheduled task DiskCleanup is executed as this uses the path value %windir%\system32\cleanmgr.exe for execution.[1]

Enterprise T1562 .001 Impair Defenses: Disable or Modify Tools

DarkGate will terminate processes associated with several security software products if identified during execution.[1]

Enterprise T1105 Ingress Tool Transfer

DarkGate retrieves cryptocurrency mining payloads and commands in encrypted traffic from its command and control server.[1] DarkGate uses Windows Batch scripts executing the curl command to retrieve follow-on payloads.[2]

Enterprise T1490 Inhibit System Recovery

DarkGate can delete system restore points through the command cmd.exe /c vssadmin delete shadows /for=c: /all /quiet".[1]

Enterprise T1056 .001 Input Capture: Keylogging

DarkGate will spawn a thread on execution to capture all keyboard events and write them to a predefined log file.[1]

Enterprise T1036 Masquerading

DarkGate can masquerade as pirated media content for initial delivery to victims.[1]

.003 Rename System Utilities

DarkGate executes a Windows Batch script during installation that creases a randomly-named directory in the C:\ root directory that copies and renames the legitimate Windows curl command to this new location.[2]

.007 Double File Extension

DarkGate masquerades malicious LNK files as PDF objects using the double extension .pdf.lnk.[2]

Enterprise T1106 Native API

DarkGate uses the native Windows API CallWindowProc() to decode and launch encoded shellcode payloads during execution.[2] DarkGate can call kernel mode functions directly to hide the use of process hollowing methods during execution.[1]

Enterprise T1027 Obfuscated Files or Information

DarkGate uses a hard-coded string as a seed, along with the victim machine hardware identifier and input text, to generate a unique string used as an internal mutex value to evade static detection based on mutexes.[2]

.013 Encrypted/Encoded File

DarkGate drops an encrypted PE file, pe.bin, and decrypts it during installation.[1] DarkGate also uses custom base64 encoding schemas in later variations to obfuscate payloads.[2]

Enterprise T1566 .001 Phishing: Spearphishing Attachment

DarkGate can be distributed through emails with malicious attachments from a spoofed email address.[1]

.002 Phishing: Spearphishing Link

DarkGate is distributed in phishing emails containing links to distribute malicious VBS or MSI files.[2] DarkGate uses applications such as Microsoft Teams for distributing links to payloads.[2]

Enterprise T1057 Process Discovery

DarkGate performs various checks for running processes, including security software by looking for hard-coded process name values.[1]

Enterprise T1055 .012 Process Injection: Process Hollowing

DarkGate leverages process hollowing techniques to evade detection, such as decrypting the content of an encrypted PE file and injecting it into the process vbc.exe.[1]

Enterprise T1496 Resource Hijacking

DarkGate can deploy follow-on cryptocurrency mining payloads.[1]

Enterprise T1518 .001 Software Discovery: Security Software Discovery

DarkGate looks for various security products by process name using hard-coded values in the malware. DarkGate will not execute its keylogging thread if a process name associated with Trend Micro anti-virus is identified, or if runtime checks identify the presence of Kaspersky anti-virus. DarkGate will initiate a new thread if certain security products are identified on the victim, and recreate any malicious files associated with it if it determines they were removed by security software in a new system location.[1]

Enterprise T1082 System Information Discovery

DarkGate uses the Delphi methods Sysutils::DiskSize and GlobalMemoryStatusEx to collect disk size and physical memory as part of the malware's anti-analysis checks for running in a virtualized environment.[1] DarkGate will gather various system information such as display adapter description, operating system type and version, processor type, and RAM amount.[1]

Enterprise T1614 System Location Discovery

DarkGate queries system locale information during execution.[1] Later versions of DarkGate query GetSystemDefaultLCID for locale information to determine if the malware is executing in Russian-speaking countries.[2]

Enterprise T1569 .002 System Services: Service Execution

DarkGate tries to elevate privileges to SYSTEM using PsExec to locally execute as a service, such as cmd /c c:\temp\PsExec.exe -accepteula -j -d -s [Target Binary].[2]

Enterprise T1124 System Time Discovery

DarkGate creates a log file for capturing keylogging, clipboard, and related data using the victim host's current date for the filename.[1] DarkGate queries victim system epoch time during execution.[1] DarkGate captures system time information as part of automated profiling on initial installation.[2]

Enterprise T1552 Unsecured Credentials

DarkGate uses NirSoft tools to steal user credentials from the infected machine.[1] NirSoft tools are executed via process hollowing in a newly-created instance of vbc.exe or regasm.exe.

Enterprise T1204 .002 User Execution: Malicious File

DarkGate initial infection payloads can masquerade as pirated media content requiring user interaction for code execution.[1] DarkGate is distributed through phishing links to VBS or MSI objects requiring user interaction for execution.[2]

Enterprise T1497 .001 Virtualization/Sandbox Evasion: System Checks

DarkGate queries system resources on an infected machine to identify if it is executing in a sandbox or virtualized environment.[1]