11/14/2023 0 Comments Filezilla malware warning![]() Image: Telekom SecurityĭarkGate’s capabilities makes it a tool of choice for cybercriminals interested in financial fraud or threat actors interested in running cyberespionage campaigns. RastaFarEye also provided a video showing the malware builder and control panel ( Figure D).įigure D Screen capture exposing DarkGate loader’s panel and its options to control computers. The threat actor limited the malware-as-a-service to only 10 affiliates at a monthly price of $15,000 USD, or $100,000 USD for a full year. DarkGate’s business modelĭarkGate loader was advertised in June 2023 by its developer RastaFarEye ( Figure C), as shown in a report from German company Telekom Security.įigure C DarkGate loader’s developer RastaFarEye advertised on a cybercriminal underground forum. That final payload is the DarkGate loader malware. If the antivirus isn’t installed, the script downloads a shellcode that in turn downloads a file, byte by byte, using the stacked strings technique in an effort to stay undetected. In this attack campaign, the AutoIT script checks for the presence of the Sophos antivirus other campaigns might check for other antivirus solutions. A precompiled AutoIT script is also downloaded and executed via the AutoIT software. Image: TruesecĪfter the LNK file is clicked, it executes a command line that triggers the download and execution of AutoIT via a VBScript file. Once the zip file is opened, it shows the user a malicious LNK (shortcut) file posing as a PDF document ( Figure B).įigure B Malicious LNK file posing as a PDF file. Those accounts were used to send socially engineered content to convince users to download and open a malicious archive file ( Figure A).įigure A Phishing message sent to targets via Microsoft Teams. ![]() The attack consists of messages sent on Microsoft Teams by a threat actor who used two compromised Teams accounts for sale on the Dark Web. How new attack spreads DarkGate loader via Microsoft Teams Remote access tool capabilities: DarkGate can initiate a virtual network connection and execute commands.Cryptomining capabilities: DarkGate is able to start, stop and configure a cryptominer.To achieve that goal, the malware uses multiple legitimate free tools from the popular NirSoft website. Credentials theft: DarkGate is able to steal passwords and cookies from browsers, email software and other software such as Discord or FileZilla.It can also collect files from the system and send it to the C2 server, as well as do screen captures. Information gathering: DarkGate is able to query the system to get information about the currently logged-in user, running software, processes and more, which it sends to the C2 server. ![]() In that case, it stores a copy of itself on the hard drive and creates a registry key to be executed at reboot times.Īlthough DarkGate is mostly a loader for third-parties’ malware, it still has built-in capabilities.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |