Back

DarkGate: Dancing the Samba With Alluring Excel Files

July 11, 2024, 12:08 p.m.

Tags

anti-analysis
autohotkey
darkgate
excel
sideloading
2024-07-11

External References

https://unit42.paloaltonetworks.com/

https://otx.alienvault.com/

Description

This analysis delves into a DarkGate malware campaign from March-April 2024 that exploits Microsoft Excel files to retrieve malicious payloads hosted on public-facing SMB file shares. It sheds light on the evolving tactics of this threat, which creatively abuses legitimate tools and services for distribution. The campaign targets various regions, primarily North America initially before spreading to Europe and parts of Asia. The report provides insights into DarkGate's background, infection chain, anti-analysis techniques, command and control infrastructure, and the indicators of compromise associated with this campaign.

Date

Published Created Modified
July 11, 2024, 11:56 a.m. July 11, 2024, 11:56 a.m. July 11, 2024, 12:08 p.m.

Indicators

b4156c2cd85285a2cb12dd208fcecb5d88820816b6371501e53cb47b4fe376fd

b28473a7e5281f63fd25b3cb75f4e3346112af6ae5de44e978d6cf2aac1538c1

a01672db8b14a2018f760258cf3ba80cda6a19febbff8db29555f46592aedea6

9b2be97c2950391d9c16497d4362e0feb5e88bfe4994f6d31b4fda7769b1c780

9a2a855b4ce30678d06a97f7e9f4edbd607f286d2a6ea1dde0a1c55a4512bb29

96e22fa78d6f5124722fe20850c63e9d1c1f38c658146715b4fb071112c7db13

585e52757fe9d54a97ec67f4b2d82d81a547ec1bd402d609749ba10a24c9af53

51f1d5d41e5f5f17084d390e026551bc4e9a001aeb04995aff1c3a8dbf2d2ff3

44a54797ca1ee9c896ce95d78b24d6b710c2d4bcb6f0bcdc80cd79ab95f1f096

4b45b01bedd0140ced78e879d1c9081cecc4dd124dcf10ffcd3e015454501503

378b000edf3bfe114e1b7ba8045371080a256825f25faaea364cf57fa6d898d7

2384abde79fae57568039ae33014184626a54409e38dee3cfb97c58c7f159e32

08d606e87da9ec45d257fcfc1b5ea169b582d79376626672813b964574709cba

51ab25a9a403547ec6ac5c095d904d6bc91856557049b5739457367d17e831a7

f9d8b85fac10f088ebbccb7fe49274a263ca120486bceab6e6009ea072cb99c0

ba8f84fdc1678e133ad265e357e99dba7031872371d444e84d6a47a022914de9

02acf78048776cd52064a0adf3f7a061afb7418b3da21b793960de8a258faf29

897b0d0e64cf87ac7086241c86f757f3c94d6826f949a1f0fec9c40892c0cecb

2e34908f60502ead6ad08af1554c305b88741d09e36b2c24d85fd9bac4a11d2f

78.142.18.222

5.180.24.155

167.99.115.33

http://nextroundst.com/aa

http://nextroundst.com/nlcsphze

http://nextroundst.com/ffcxlohx

http://diveupdown.com/hlsxaifp

http://diveupdown.com/aaa

http://diveupdown.com/yhmrmmgc

http://diveupdown.com/aa

http://adfhjadfbjadbfjkhad44jka.com/zanmjtvh

http://adfhjadfbjadbfjkhad44jka.com/xxhhodrq

http://adfhjadfbjadbfjkhad44jka.com/aa

Attack Patterns

DarkGate - S1111

DarkGate

T1207

T1490

T1064

T1497

T1114

T1489

T1574

T1518

T1105

T1083

T1055

T1036

T1033

T1027

T1112

T1566

T1003

T1059

CVE-2024-3400