DarkGate malware distributed by MAAS (Malware-AS-A-Service), has altered its final delivery method by transitioning from AutoIT scripts to Autohotkey. This shift underscores the cybercriminals’ continual efforts to stay ahead of threat detection systems.
Notable updates were seen in Darkgate version 6, released in March 2024 by a developer named Rastafareye. The program is available for sale via subscription and is utilized by around 30 clients.
DarkGate malware, known since 2018, is a fully functional remote access trojan (RAT) furnished with C2 and Rutkit capabilities. It includes modules for stealing account data, keylogging, screen capture, and remote desktop access.
“DarkGate campaigns are rapidly adapting, tweaking various components to evade detection by security systems,” noted a Trellix security researcher in their analysis. “This is the first instance we’ve observed the use of Autohotkey to launch Darkgate.”
The transition to Autohotkey was first documented by McAfee Labs in late April 2024. The attacks exploit vulnerabilities like cve-2023-36025 and cve-2024-21412 to bypass Microsoft Defender Smartscreen, using Microsoft Excel or HTML in phishing emails.
Alternate methods involve Excel files with embedded macros executing Visual Basic Scripts, which trigger the PowerShell command, ultimately launching the Autohotkey script. This script then loads and decodes the payload of DarkGate from a text file.
The latest Darkgate version introduces significant enhancements in configuration, evasion techniques, and command capabilities. It now supports functionalities such as sound recording, mouse and keyboard control.
“Version 6 not only introduced new commands but also eliminated some from previous versions like privilege escalation, cryptomining, and hidden virtual network control (HVNC),” mentioned Trellix, suggesting this may be to reduce detectable features.
Notably, DarkGate is limited to a select number of clients, influencing Rastafareye’s decision to remove certain functions.
Therefore, the recent changes in DarkGate functionality highlight the malware authors’ commitment to innovation and enhancing the effectiveness of their attacks. This reinforces the importance of continuous monitoring and swift cybersecurity responses to defend against evolving sophisticated threats.