Full Report
Authored by Yashvi Shah, Lakshya Mathur and Preksha Saxena McAfee Labs has recently uncovered a novel infection chain associated with... The post The Darkgate Menace: Leveraging Autohotkey & Attempt to Evade Smartscreen appeared first on McAfee Blog.
Analysis Summary
# Tool/Technique: DarkGate Malware
## Overview
DarkGate is a sophisticated Remote Access Trojan (RAT) developed using Borland Delphi, marketed as a Malware-as-a-Service (MaaS) offering on Russian-language cybercrime forums. Recent infection chains observed utilize an HTML entry point and leverage the legitimate AutoHotkey utility for execution, while employing specific file bypasses to evade security measures.
## Technical Details
- Type: Malware family (Remote Access Trojan - RAT)
- Platform: Windows (Implied by SmartScreen/AutoHotkey usage)
- Capabilities: Process injection, file download and execution, data theft, shell command execution, keylogging.
- First Seen: At least since 2018 (marketed as MaaS).
## MITRE ATT&CK Mapping
*Note: Mapping is based on reported malware functionalities.*
- **TA0002 - Execution**
- T1059 - Command and Scripting Interpreter
- T1059.003 - Windows Command Shell
- **TA0005 - Defense Evasion**
- T1218 - Signed Binary Proxy Execution
- T1218.011 - Mshta
- **TA0011 - Command and Control**
- T1071 - Application Layer Protocol
## Functionality
### Core Capabilities
- Remote Access Trojan (RAT) functionality.
- Execution of system commands via shell access.
- Exfiltration of sensitive data.
- Logging of user keystrokes (keylogging).
- Dynamic download and execution of additional files.
### Advanced Features
- Evasion of Microsoft Defender SmartScreen using known Windows vulnerabilities (CVE-2023-36025, CVE-2024-21412 exploited via .url files).
- Utilization of AutoHotkey in later stages of infection.
- Complex multi-stage infection chains starting from HTML or XLS files.
- Exploitation of Internet Shortcut (.url) file handling flaws to bypass security prompts.
- Use of encoded strings (reverse Base64) within initial HTML vectors to hide payloads or execution logic.
## Indicators of Compromise
*Note: Specific hashes, IPs, or associated file names were not provided in the summary text, only the methodology.*
- File Hashes: [Not provided]
- File Names: "Report-26-2024.[url, vbs, zip]" (Example observed in initial stages)
- Registry Keys: [Not provided]
- Network Indicators: The initial vector observed used a WebDAV share: `http://170.130.55.130/share/a/` (Defanged: `170[.]130[.]55[.]130`)
- Behavioral Indicators: Execution chain involving a malicious HTML file leading to the use of a `search-ms` protocol to execute a `.url` file from a remote WebDAV share, followed by VBScript execution.
## Associated Threat Actors
- Threat actors utilizing the Malware-as-a-Service (MaaS) model on Russian-language cybercrime forums. (Specific named groups are not detailed in the provided context).
## Detection Methods
- Signature-based detection: Signatures for Borland Delphi compiled binaries associated with DarkGate.
- Behavioral detection: Monitoring for unusual system interactions following the execution of `.url` files or scripts that attempt to leverage AutoHotkey or perform process injection. Monitoring use of the `search-ms` protocol for remote resource execution.
- YARA rules: [Not provided]
## Mitigation Strategies
- Prevention measures: Regularly patching Windows operating systems to eliminate vulnerabilities like CVE-2023-36025 and CVE-2024-21412, which specifically target Internet Shortcut file handling.
- Hardening recommendations: Restrict execution of scripting languages where feasible. Increase scrutiny of user interactions with files downloaded from external sources, especially those masquerading as documents opening in "Cloud View." Implement strong email filtering to block malicious HTML attachments/links.
## Related Tools/Techniques
- **CVE-2023-36025:** Vulnerability in Microsoft Windows Defender SmartScreen related to internet shortcut files.
- **CVE-2024-21412:** Internet Shortcut Files Security Feature Bypass Vulnerability.
- **Internet Shortcut File Abuse:** Technique leveraging `.url` files to execute remote or local payloads without exhibiting standard SmartScreen warnings.
- **AutoHotkey:** Legitimate utility exploited during the infection chain.