Today > | 1 Medium vulnerabilities   -   You can now download lists of IOCs here!

DarkGate switches up its tactics with new payload, email templates

June 6, 2024, 8:07 a.m.

Description

This analysis delves into a recent surge of malicious email campaigns by the DarkGate threat actor, employing novel tactics to distribute malware. These campaigns leverage a technique called 'Remote Template Injection' to bypass security controls and deceive recipients into executing malicious code embedded within seemingly innocuous Excel attachments. Notably, the actor has transitioned from utilizing AutoIT scripts to AutoHotKey scripting, executing the final DarkGate payload directly in memory, without writing it to disk. This continuous evolution in infection chains demonstrates the actor's adaptability and determination to evade detection.

Date

Published: June 6, 2024, 7:26 a.m.

Created: June 6, 2024, 7:26 a.m.

Modified: June 6, 2024, 8:07 a.m.

Indicators

http://withupdate.com

http://irreceiver.com

http://goingupdate.com

http://badbutperfect.com

http://backupitfirst.com

http://buassinnndm.net

irreceiver.com

goingupdate.com

badbutperfect.com

buassinnndm.net

withupdate.com

backupitfirst.com

Attack Patterns

DarkGate

DarkGate

T1568

T1484

T1497

T1574

T1547

T1518

T1027

T1566

T1059

Additional Informations

Healthcare

Telecommunications

United States of America