Cybersecurity Experts Uncover DarkGate Malware Campaign Targeting Samba File Shares
In a recent investigation, cybersecurity analysts have unveiled a brief yet impactful campaign associated with DarkGate malware, which exploited Samba file sharing services as a vector for infection. Researchers from Palo Alto Networks’ Unit 42 indicated that the campaign occurred over a two-month period in March and April 2024, primarily affecting entities across North America, Europe, and parts of Asia.
The campaign utilized public-facing Samba file shares to host malicious files written in Visual Basic Script (VBS) and JavaScript. Upon accessing compromised Microsoft Excel (.xlsx) files, targeted users were prompted to click an embedded "Open" button, activating VBS code that was hosted externally. This initial step set off a chain of actions, retrieving additional scripts executed by PowerShell to facilitate the download of a DarkGate package based on AutoHotKey.
DarkGate, which emerged in 2018, has since evolved into a sophisticated malware-as-a-service (MaaS) platform, employed solely by a limited number of affiliates. This malware not only allows for the remote control of affected systems but also possesses capabilities such as code execution, cryptocurrency mining, and the deployment of follow-on payloads. The recent proliferation of attacks employing DarkGate is noteworthy, particularly following the significant law enforcement actions against the QakBot infrastructure in August 2023.
The attack methodology included various anti-analysis protections; DarkGate scans for well-known anti-malware solutions and determines if it is operating in a physical or virtual environment. Its programming can identify reverse engineering tools and debuggers, thus complicating efforts for security professionals to study the malware. Although DarkGate’s Command and Control (C2) communications use unencrypted HTTP requests, the data transmitted is obscured, typically represented as Base64-encoded text—a tactic that can inadvertently hinder detection.
As reported by Unit 42, the DarkGate campaign also aligned with broader trends in cybercrime, where various threat actors, including a spam distribution group identified as TA571, capitalized on the malware to target more than a thousand organizations globally. This expansive operation encompassed 14,000 separate campaigns featuring a plethora of different malware variants. The overarching objective was to breach organizational networks and extract sensitive data while providing credential access to other malicious actors for further exploitation.
In assessing the potential tactics and techniques associated with this campaign, the MITRE ATT&CK framework offers crucial insights. Techniques related to initial access, such as the exploitation of external files and spear phishing, were prominently featured in this incident. The malware’s attempt to maintain persistence and escalate privileges on infected hosts also align with recognized adversary methodologies.
The disclosure of these findings underscores the persistent threat posed by sophisticated malware like DarkGate, highlighting the imperative for businesses to enhance their cybersecurity defenses. Given the evolving nature of these cyber threats, organizations must remain vigilant and proactive in implementing strong security measures to mitigate risks and prevent potential data breaches.