S1111: DarkGate

DarkGate will gather various system information such as domain, display adapter description, operating system type and version, processor type, and RAM amount.[1]CitationRapid7 BlackBasta 2024

DarkGate tries to elevate privileges to SYSTEM using PsExec to locally execute as a service, such as cmd /c c:\temp\PsExec.exe -accepteula -j -d -s [Target Binary].[2]

DarkGate can cloak command and control traffic in DNS records from legitimate services to avoid reputation-based detection techniques. [1]

DarkGate searches for stored credentials associated with cryptocurrency wallets and notifies the command and control server when identified.[1]

DarkGate edits the Registry key HKCU\Software\Classes\mscfile\shell\open\command to execute a malicious AutoIt script.[1] When eventvwr.exe is executed, this will call the Microsoft Management Console (mmc.exe), which in turn references the modified Registry key.

DarkGate uses per-victim links for hosting malicious archives, such as ZIP files, in services such as SharePoint to prevent other entities from retrieving them.[2]

DarkGate uses two distinct User Account Control (UAC) bypass techniques to escalate privileges.[1]

DarkGate checks the BeingDebugged flag in the PEB structure during execution to identify if the malware is being debugged.[2]

DarkGate will terminate processes associated with several security software products if identified during execution.[1]

DarkGate can deploy follow-on ransomware payloads.[1]

DarkGate is distributed in phishing emails containing links to distribute malicious VBS or MSI files.[2] DarkGate uses applications such as Microsoft Teams for distributing links to payloads.[2]

DarkGate queries system locale information during execution.[1] Later versions of DarkGate query GetSystemDefaultLCID for locale information to determine if the malware is executing in Russian-speaking countries.[2]

DarkGate uses the Delphi methods Sysutils::DiskSize and GlobalMemoryStatusEx to collect disk size and physical memory as part of the malware's anti-analysis checks for running in a virtualized environment.[1]

DarkGate will search for cryptocurrency wallets by examining application window names for specific strings.[1] DarkGate extracts information collected via NirSoft tools from the hosting process's memory by first identifying the window through the FindWindow API function.[1]

DarkGate has deleted its staging directories.CitationRapid7 BlackBasta 2024

DarkGate masquerades malicious LNK files as PDF objects using the double extension .pdf.lnk.[2]

DarkGate installation includes AutoIt script execution creating a shortcut to itself as an LNK object, such as bill.lnk, in the victim startup folder.[1]CitationRapid7 BlackBasta 2024 DarkGate installation finishes with the creation of a registry Run key.[1]

DarkGate uses existing command and control channels to retrieve captured cryptocurrency wallet credentials.[1]

DarkGate drops an encrypted PE file, pe.bin, and decrypts it during installation.[1] DarkGate also uses custom base64 encoding schemas in later variations to obfuscate payloads.[2]

DarkGate uses NirSoft tools to steal user credentials from the infected machine.[1] NirSoft tools are executed via process hollowing in a newly-created instance of vbc.exe or regasm.exe.

DarkGate has stolen `sitemanager.xml` and `recentservers.xml` from `%APPDATA%\FileZilla\` if present.CitationRapid7 BlackBasta 2024

DarkGate has used WMI to execute files over the network and to obtain information about the domain.CitationRapid7 BlackBasta 2024

DarkGate uses a hard-coded string as a seed, along with the victim machine hardware identifier and input text, to generate a unique string used as an internal mutex value to evade static detection based on mutexes.[2]

DarkGate can delete system restore points through the command cmd.exe /c vssadmin delete shadows /for=c: /all /quiet”.[1]

DarkGate executes a Windows Batch script during installation that creases a randomly-named directory in the C:\\ root directory that copies and renames the legitimate Windows curl command to this new location.[2]

DarkGate has used PowerShell to create a remote shell.CitationRapid7 BlackBasta 2024

DarkGate can deploy follow-on cryptocurrency mining payloads.[1]

DarkGate creates a local user account, SafeMode, via net user commands.[1]

DarkGate will spawn a thread on execution to capture all keyboard events and write them to a predefined log file.[1]CitationRapid7 BlackBasta 2024

DarkGate uses AutoIt scripts dropped to a hidden directory during initial installation phases, such as `test.au3`.[1]

DarkGate command and control includes hard-coded domains in the malware masquerading as legitimate services such as Akamai CDN or Amazon Web Services.[2]

DarkGate retrieves cryptocurrency mining payloads and commands in encrypted traffic from its command and control server.[1] DarkGate uses Windows Batch scripts executing the curl command to retrieve follow-on payloads.[2] DarkGate has stolen `sitemanager.xml` and `recentservers.xml` from `%APPDATA%\FileZilla\` if present.CitationRapid7 BlackBasta 2024

DarkGate performs various checks for running processes, including security software by looking for hard-coded process name values.[1]CitationRapid7 BlackBasta 2024

DarkGate command and control includes hard-coded domains in the malware chosen to masquerade as legitimate services such as Akamai CDN or Amazon Web Services.[2]

DarkGate use Nirsoft Network Password Recovery or NetPass tools to steal stored RDP credentials in some malware versions.[2]

Some versions of DarkGate search for the hard-coded folder C:\Program Files\e Carte Bleue.[1]

DarkGate uses the native Windows API CallWindowProc() to decode and launch encoded shellcode payloads during execution.[2] DarkGate can call kernel mode functions directly to hide the use of process hollowing methods during execution.[1] DarkGate has also used the `CreateToolhelp32Snapshot`, `GetFileAttributesA` and `CreateProcessA` functions to obtain a list of running processes, to check for security products and to execute its malware.CitationRapid7 BlackBasta 2024

DarkGate installation includes binary code stored in a file located in a hidden directory, such as shell.txt, that is decrypted then executed.[1] DarkGate uses hexadecimal-encoded shellcode payloads during installation that are called via Windows API CallWindowProc() to decode and then execute.[2]

DarkGate initial infection payloads can masquerade as pirated media content requiring user interaction for code execution.[1] DarkGate is distributed through phishing links to VBS or MSI objects requiring user interaction for execution.[2]

DarkGate creates a log file for capturing keylogging, clipboard, and related data using the victim host's current date for the filename.[1] DarkGate queries victim system epoch time during execution.[1] DarkGate captures system time information as part of automated profiling on initial installation.[2]

DarkGate looks for various security products by process name using hard-coded values in the malware.CitationRapid7 BlackBasta 2024 DarkGate will not execute its keylogging thread if a process name associated with Trend Micro anti-virus is identified, or if runtime checks identify the presence of Kaspersky anti-virus. DarkGate will initiate a new thread if certain security products are identified on the victim, and recreate any malicious files associated with it if it determines they were removed by security software in a new system location.[1]

DarkGate can be distributed through emails with malicious attachments from a spoofed email address.[1]

DarkGate can deploy payloads capable of capturing credentials related to cryptocurrency wallets.[1]

DarkGate starts a thread on execution that captures clipboard data and logs it to a predefined log file.[1]CitationRapid7 BlackBasta 2024

DarkGate includes one infection vector that leverages a malicious "KeyScramblerE.DLL" library that will load during the execution of the legitimate KeyScrambler application.[2]

DarkGate relies on parent PID spoofing as part of its "rootkit-like" functionality to evade detection via Task Manager or Process Explorer.[2]

DarkGate overrides the %windir% environment variable by setting a Registry key, HKEY_CURRENT_User\Environment\windir, to an alternate command to execute a malicious AutoIt script. This allows DarkGate to run every time the scheduled task DiskCleanup is executed as this uses the path value %windir%\system32\cleanmgr.exe for execution.[1]

DarkGate attempts to steal Opera cookies, if present, after terminating the related process.CitationRapid7 BlackBasta 2024

DarkGate elevates accounts created through the malware to the local administration group during execution.[1]

DarkGate initial infection mechanisms include masquerading as pirated media that launches malicious VBScript on the victim.[1]

DarkGate initial installation involves dropping several files to a hidden directory named after the victim machine name.[1] Additionally, DarkGate uses attrib to hide a directory in the following command: ` C:\Windows\system32\attrib.exe” +h C:/rjtu/`.Citationgbhackers Darkgate Malware 2024

DarkGate has used the `shutdown`command to shut down and/or restart the victim system.CitationRapid7 BlackBasta 2024

DarkGate will retrieved encrypted commands from its command and control server for follow-on actions such as cryptocurrency mining.[1]

DarkGate queries system resources on an infected machine to identify if it is executing in a sandbox or virtualized environment.[1]

DarkGate has deleted all files in the Mozilla directory using the following command: `/c del /q /f /s C:\Users\User\AppData\Roaming\Mozilla\firefox*`.CitationRapid7 BlackBasta 2024

DarkGate can masquerade as pirated media content for initial delivery to victims.[1]

DarkGate leverages process hollowing techniques to evade detection, such as decrypting the content of an encrypted PE file and injecting it into the process vbc.exe.[1]CitationRapid7 BlackBasta 2024

DarkGate uses a malicious Windows Batch script to run the Windows code utility to retrieve follow-on script payloads.[2] DarkGate has also used `cmd.exe` to create a remote shell.CitationRapid7 BlackBasta 2024