DarkGate: Dancing the Samba With Alluring Excel Files

July 11, 2024, 12:08 p.m.

Description

This analysis delves into a DarkGate malware campaign from March-April 2024 that exploits Microsoft Excel files to retrieve malicious payloads hosted on public-facing SMB file shares. It sheds light on the evolving tactics of this threat, which creatively abuses legitimate tools and services for distribution. The campaign targets various regions, primarily North America initially before spreading to Europe and parts of Asia. The report provides insights into DarkGate's background, infection chain, anti-analysis techniques, command and control infrastructure, and the indicators of compromise associated with this campaign.

External References

https://unit42.paloaltonetworks.com/darkgate-malware-uses-excel-files/
https://otx.alienvault.com/pulse/668fc85e88b1a9e7b31be48e
Tags
anti-analysis
autohotkey
darkgate
excel
sideloading
2024-07-11

Date

  • Created: July 11, 2024, 11:56 a.m.
  • Published: July 11, 2024, 11:56 a.m.
  • Modified: July 11, 2024, 12:08 p.m.

Indicators

  • b4156c2cd85285a2cb12dd208fcecb5d88820816b6371501e53cb47b4fe376fd
  • b28473a7e5281f63fd25b3cb75f4e3346112af6ae5de44e978d6cf2aac1538c1
  • a01672db8b14a2018f760258cf3ba80cda6a19febbff8db29555f46592aedea6
  • 9b2be97c2950391d9c16497d4362e0feb5e88bfe4994f6d31b4fda7769b1c780
  • 9a2a855b4ce30678d06a97f7e9f4edbd607f286d2a6ea1dde0a1c55a4512bb29
  • 96e22fa78d6f5124722fe20850c63e9d1c1f38c658146715b4fb071112c7db13
  • 585e52757fe9d54a97ec67f4b2d82d81a547ec1bd402d609749ba10a24c9af53
  • 51f1d5d41e5f5f17084d390e026551bc4e9a001aeb04995aff1c3a8dbf2d2ff3
  • 44a54797ca1ee9c896ce95d78b24d6b710c2d4bcb6f0bcdc80cd79ab95f1f096
  • 4b45b01bedd0140ced78e879d1c9081cecc4dd124dcf10ffcd3e015454501503
  • 378b000edf3bfe114e1b7ba8045371080a256825f25faaea364cf57fa6d898d7
  • 2384abde79fae57568039ae33014184626a54409e38dee3cfb97c58c7f159e32
  • 08d606e87da9ec45d257fcfc1b5ea169b582d79376626672813b964574709cba
  • 51ab25a9a403547ec6ac5c095d904d6bc91856557049b5739457367d17e831a7
  • f9d8b85fac10f088ebbccb7fe49274a263ca120486bceab6e6009ea072cb99c0
  • ba8f84fdc1678e133ad265e357e99dba7031872371d444e84d6a47a022914de9
  • 02acf78048776cd52064a0adf3f7a061afb7418b3da21b793960de8a258faf29
  • 897b0d0e64cf87ac7086241c86f757f3c94d6826f949a1f0fec9c40892c0cecb
  • 2e34908f60502ead6ad08af1554c305b88741d09e36b2c24d85fd9bac4a11d2f
  • 78.142.18.222
  • 5.180.24.155
  • 167.99.115.33
  • http://nextroundst.com/aa
  • http://nextroundst.com/nlcsphze
  • http://nextroundst.com/ffcxlohx
  • http://diveupdown.com/hlsxaifp
  • http://diveupdown.com/aaa
  • http://diveupdown.com/yhmrmmgc
  • http://diveupdown.com/aa
  • http://adfhjadfbjadbfjkhad44jka.com/zanmjtvh
  • http://adfhjadfbjadbfjkhad44jka.com/xxhhodrq
  • http://adfhjadfbjadbfjkhad44jka.com/aa
  • wear626.com
  • updateleft.com
  • nextroundst.com
  • diveupdown.com
  • adfhjadfbjadbfjkhad44jka.com
Download all indicators here!

Attack Patterns

  • DarkGate - S1111
  • DarkGate

Linked vulnerabilities

CVE-2024-3400

None
Published: