DarkGate is sophisticated malware that uses AutoIt–i.e., a freeware programming language for Microsoft Windows. This malware poses a major threat due to its meticulous evasion strategies and multi-stage payload distribution. A detailed investigation by the Splunk Threat Research Team (STRT) examines DarkGate’s complicated loader execution path–including phases such as malicious PDF exploitation, CAB file execution, DLL side-loading, AutoIt script execution, and final payload decryption. The malware’s tactics, techniques, and procedures (TTPs) include a variety of measures such as lateral movement, malicious downloads (like CryptoMiner), proxy setup, and RDP use.

The Attack Chain

• CAB File Download

When the malicious PDF is opened it triggers a series of events that lead to downloading a CAB (Cabinet) file from a remote server. This download is disguised within the PDF’s code to avoid detection. The downloaded CAB file contains components essential for DarkGate’s execution, including legitimate executables like windbg.exe and malicious payloads like data.bin and data2.bin. Four .png files are also included to distract and conceal the malware’s critical components.

• DLL Side-Loading

The execution process progresses as windbg.exe, a legitimate Windows debugging tool, and is manipulated to load a malicious DLL (Dynamic Link Library) file named dbgeng.dll. This technique, known as DLL side-loading, allows the malware to inject its code into a trusted process to evade detection by security tools that allowlist legitimate applications like windbg.exe.

• Decoding of data.bin

The loaded dbgeng.dll decodes the contents of data.bin, revealing encrypted data2.bin. Following successful decoding, the malware proceeds to execute an AutoIt loader.

• Execution of Compiled AutoIt Script

The AutoIt loader executes a compiled script (script.au3) designed to perform specific tasks for the malware.

• Execution of Shellcode and PE File

Within the AutoIt script, the shellcode is executed to initiate the execution of an embedded win32 Portable Executable (PE) file. This PE file contains the core functionality of the DarkGate malware, including its malicious payloads and routines. The execution of the shellcode and the PE file marks the final stages of the infection process.

• Decryption of DarkGate Malware

The embedded win32 PE file is designed to decrypt the DarkGate malware using a predefined decryption key or algorithm. This process involves operations such as XOR decryption, which unveils the fully functional DarkGate payload within the compromised system, ready to carry out malicious activities as instructed by the threat actor–including lateral movement, malicious downloads (like CryptoMiner), proxy setup, and RDP.

Recommendations

Here are recommendations to prevent or mitigate DarkGate malware attacks:

Enforce strong email policies and configuration.

Use anti-spoofing and email authentication mechanisms like SPF and DKIM to filter messages based on the validity of the sender domain and message integrity. Enable DMARC policies in quarantine or reject mode. These protocols verify the sender’s legitimacy and message integrity, filtering out spoofed emails and potential phishing attempts.

Utilize endpoint security solutions with advanced behavior-based prevention capabilities.

• Configure endpoint security solutions to detect and block process injection techniques, including process hollowing, based on common sequences of behavior observed during the injection process.

• Employ behavior-based detection mechanisms to identify suspicious activities associated with process hollowing, such as abnormal process creation and memory modifications.

• Ensure antivirus/antimalware software is installed on all endpoints and configured to quarantine suspicious files automatically. Regularly update antivirus signatures, and conduct periodic scans to detect and remove known threats, including malicious attachments delivered via spearphishing.

• Enforce email attachment restrictions as a best practice. Block unknown or unused file types like .scr, .exe, .pif, and .cpl by default to prevent potential threats. Consider email scanning solutions that can analyze compressed and encrypted formats like .CAB and MSI. and other files often used to mask malicious content.

Ensure that Driver Signature Enforcement is enabled.

• Enforce the registration and execution of only legitimately signed service drivers wherever possible. Implement strict controls to validate the authenticity and integrity of service drivers before installation or execution.

Have a detection and monitoring plan in place.

• Monitor Windows API calls indicative of code injection, such as CreateRemoteThread, SuspendThread/SetThreadContext/ResumeThread, VirtualAllocEx, and WriteProcessMemory, which may be used for process hollowing. While benign applications may also use these APIs, monitoring for suspicious sequences or under specific circumstances can aid in threat detection. As well as, API calls associated with service creation or modification, such as CreateServiceW(). Investigate suspicious API activity that could indicate attempts to establish persistence.

• Track processes accessing potentially vulnerable processes that could be targets for malicious code injection. This helps identify suspicious activity where legitimate processes are being manipulated.

• Monitor newly created processes, especially those launched by unexpected parent processes. Adversaries may abuse legitimate processes to execute malicious code within their memory space. For example, smss.exe launching csrss.exe or winlogon.exe launching services.exe could indicate malicious activity.  While not foolproof, this can help detect anomalies.

• Monitor for changes made to processes that may indicate injection of malicious code into suspended and hollowed processes. Look for anomalies in process behavior, such as unexpected modifications to process memory or behavior inconsistent with standard operations.

• Monitor processes and command-line arguments for actions that could create or modify services, especially command-line invocations of tools capable of service manipulation. Collect and analyze service utility execution and service binary path arguments used for analysis to identify suspicious activities.

• Monitor for new service driver installations and loads, particularly those not part of known software update/patch cycles, to detect potentially malicious activity.  Analyze running services and compare them against historical data to identify potential outliers or unknown services. Investigate any suspicious findings.

• Monitor for modifications to binary files associated with existing services, as adversaries may modify these files to achieve persistence and evade detection.

• Look for events where a file was created or modified and later run as a service, indicating potential APT activity. 

• Monitor Windows Registry activity related to service creation and modification. Pay attention to changes made to specific registry keys associated with services.

Limit the privileges of user accounts and groups. As well as ensuring limitations for appropriate file, process, services, and registry privileges.

• Ensure that only authorized administrators can interact with service changes and configurations. Implement role-based access controls (RBAC) to enforce the principle of least privilege and minimize the impact of unauthorized service manipulation by limiting access to critical systems and configurations.

• Ensure that the right file and process permissions are in place to prevent adversaries from blocking or altering essential services. Limit unauthorized access to service-related files and directories using the least privilege principle. This will lessen adversaries’ capacity to alter or tamper with service configurations.

• Implement the appropriate registry permissions to prevent attackers from turning off or interfering with vital services. Make sure that only authorized users can update service-related keys and values by routinely auditing and reviewing registry settings to prevent unwanted modifications.