![]() To help aid in the investigation of the DarkGate payload and processes, a tool by Telekom Security can be used to dump the config file. In addition the execution creates a folder on the host within the Program Data directory using a randomly generated seven-character string to store log and configuration data. \AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.lnk> The malware achieves persistence by dropping a randomly named LNK file to the Windows User Startup folder, enabling automatic execution of the file at every system startup, following this path These are injected with shellcode to execute the DarkGate payload in memory. These processes include iexplore.exe, GoogleUpdateBroker.exe, and Dell.D3. AU3 file, the file spawns surrogate processes located in C:\Program Files (x86)\. AU3 file cannot be loaded, the program displays an error message box and terminates the execution.Īfter successfully executing the. Once the environmental checks are complete, the program searches for a file with the ".au3" extension to decrypt and execute the DarkGate payload. ![]() When the username scanned is not “SYSTEM”.When the existence of %Program Files% is confirmed.If any of the following conditions are not met, the script is terminated: The AU3 file first performs the following checks before loading the script. The downloaded artifacts contained both legitimate copy of AutoIt and a maliciously compiled AutoIt script file that contained the malicious capabilities of DarkGate. Access to the victim’s Skype account allowed the actor to hijack an existing messaging thread and craft the naming convention of the files to relate to the context of the chat history. The infection chain, however, largely remains the same.įrom this sample we studied, the threat actor abused a trusted relationship between the two organizations to deceive the recipient into executing the attached VBA script. Historically, however, none of the notable loaders like IcedID, Emotet, or Qakbot have been observed to abuse it,making it easier for researchers or security teams to link the activity to the malware campaign.Ĭomparing this latest variant of DarkGate with a sample also abusing AutoIt in 2018, we observed that the routine appears to have changed slightly in terms of the initial stager and the addition of obfuscation to its command lines. Despite being a legitimate tool, AutoIt has been frequently abused by other malware families for defense evasion and an added obfuscation layer. Enable cryptocurrency mining functionality (start, stop, and configure)ĭarkGate also uses a Windows-specific automation and scripting tool called AutoIt to deliver and execute its malicious capabilities.Implement remote access software (such as remote desktop protocol or RDP, hidden virtual network computing or hVNC, and AnyDesk). ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |