DarkGate malware replaces AutoIt with AutoHotkey in recent cyberattacks

04 June 2024Press releaseVulnerability/Threat Information

Cyber ​​attacks involving DarkGate The Malware-as-a-Service (MaaS) operation switches from AutoIt scripts to an AutoHotkey mechanism for the final stages, highlighting the ongoing efforts of threat actors to stay ahead of the detection curve.

The updates were observed in version 6 of DarkGate, released in March 2024 by its developer RastaFarEye, which sold the program on a subscription basis to up to 30 customers. The malware has been active since at least 2018.

DarkGate is a fully functional remote access Trojan (RAT) with command-and-control (C2) and rootkit capabilities and includes various modules for credential theft, keylogging, screen recording and remote desktop.

“DarkGate campaigns tend to adapt very quickly and modify various components to evade security solutions,” Trellix security researcher Ernesto Fernández Provecho said in an analysis on Monday. “This is the first time DarkGate has used AutoHotKey, a not so common script interpreter, to launch DarkGate.”

It is worth noting that DarkGate’s move to AutoHotKey was first documented by McAfee Labs in late April 2024, with attack chains exploiting vulnerabilities such as CVE-2023-36025 and CVE-2024-21412 to bypass Microsoft Defender’s SmartScreen protection using Microsoft Excel or an HTML attachment in phishing emails.

Alternative methods have been found to leverage Excel files with embedded macros as a conduit to execute a Visual Basic script file that is responsible for invoking PowerShell commands to ultimately launch an AutoHotKey script that in turn retrieves and decodes the DarkGate payload from a text file.

The latest version of DarkGate includes significant improvements to configuration, evasion techniques, and the list of supported commands, which now includes audio recording, mouse control, and keyboard management capabilities.

“Version 6 not only includes new commands, but also lacks some from previous versions, such as privilege escalation, cryptomining or hVNC (Hidden Virtual Network Computing) commands,” said Fernández Provecho, adding that it may be an attempt to remove features that could enable detection.

“Additionally, since DarkGate is sold to a small group of people, it is also possible that customers were not interested in these features, forcing RastaFarEye to remove them.”

The disclosure came after cybercriminals were found to be abusing Docusign by selling legitimate-looking, customizable phishing templates on underground forums, making the service fertile ground for phishers seeking to steal credentials for phishing and business email compromise (BEC) scams.

“Carefully designed to mimic legitimate requests to sign documents, these fraudulent emails trick unsuspecting recipients into clicking on malicious links or disclosing sensitive information,” Abnormal Security said.