DarkGate switches up its tactics with new payload, email templates

June 6, 2024, 8:07 a.m.

Tags
autohotkey
darkgate
malspam
2024-06-06
template injection
email campaigns
in-memory execution
External References
Description

This analysis delves into a recent surge of malicious email campaigns by the DarkGate threat actor, employing novel tactics to distribute malware. These campaigns leverage a technique called 'Remote Template Injection' to bypass security controls and deceive recipients into executing malicious code embedded within seemingly innocuous Excel attachments. Notably, the actor has transitioned from utilizing AutoIT scripts to AutoHotKey scripting, executing the final DarkGate payload directly in memory, without writing it to disk. This continuous evolution in infection chains demonstrates the actor's adaptability and determination to evade detection.

Date

Published: June 6, 2024, 7:26 a.m.

Created: June 6, 2024, 7:26 a.m.

Modified: June 6, 2024, 8:07 a.m.

Indicators

http://withupdate.com

http://irreceiver.com

http://goingupdate.com

http://badbutperfect.com

http://backupitfirst.com

http://buassinnndm.net

Download all indicators here!

Attack Patterns

DarkGate

DarkGate

T1568

T1484

T1497

T1574

T1547

T1518

T1027

T1566

T1059

Additional Informations

Healthcare

Telecommunications

United States of America