DarkGate Malware Allows Financially Motivated Hackers to Access RaaS

After the FBI shut down Qakbot infrastructure in August 2023, EclecticIQ security experts saw a spike in the DarkGate loader's usage.

According to EclecticIQ, the main owners of DarkGate are profit-driven organizations such as TA577 and Ducktail, as well as RaaS operators like Black Basta and BianLian.

These groups target financial institutions in Europe and America, using ransomware assaults that double extort victims in an attempt to extract as much money as possible.

To fool users into installing the malware, they take advantage of trustworthy services like cloud storage and Google's DoubleClick advertising network.

DarkGate Is Available On Forums

On June 16, 2023, DarkGate Malware-as-a-Service (MaaS) was promoted on internet forums by a cybercriminal by the name of RastaFarEye.

With the help of this service, hackers were able to remotely take over victims' computers and steal their data.

DarkGate Phishing Scam

The DarkGate malware's primary aim, according to EclecticIQ security researchers, is financial organizations.

In one instance, Bank Deutsches Kraftfahrzeuggewerbe (BDK), the second-biggest independent bank serving the German automobile industry, was the target of a phishing effort.

Probably taking advantage of BDK's industrial emphasis, the attackers used an automotive-themed enticement to send an email containing a malicious PDF attachment.

When victims clicked the “Open” button in the PDF, it took them to a phishing website where they could download the “DarkGate” file.

The malware was sent by the phishing website under the guise of a ZIP-compressed file, which is a popular way to get around security controls.


Suggested Recommendations

Track for instances in which “.vbs” files are being executed by wscript.exe or cscript.exe, particularly when they come from temporary directories. Elasticsearch KQL queries or the SIGMA rule “Suspicious Script Execution from Temp Folder” are 2 tools that can be used to find this. Keep an eye out for odd patterns in network activity, such as downloads of.CAB files or redirects to odd sites like “adclick.g.doubleclick.net” with questionable parameters.