DarkGate switches up its tactics with new payload, email templates

June 6, 2024, 8:07 a.m.

Description

This analysis delves into a recent surge of malicious email campaigns by the DarkGate threat actor, employing novel tactics to distribute malware. These campaigns leverage a technique called 'Remote Template Injection' to bypass security controls and deceive recipients into executing malicious code embedded within seemingly innocuous Excel attachments. Notably, the actor has transitioned from utilizing AutoIT scripts to AutoHotKey scripting, executing the final DarkGate payload directly in memory, without writing it to disk. This continuous evolution in infection chains demonstrates the actor's adaptability and determination to evade detection.

External References

https://blog.talosintelligence.com/darkgate-remote-template-injection/
https://otx.alienvault.com/pulse/666164ac789c5ae617dcd650
Tags
autohotkey
darkgate
malspam
2024-06-06
template injection
email campaigns
in-memory execution

Date

  • Created: June 6, 2024, 7:26 a.m.
  • Published: June 6, 2024, 7:26 a.m.
  • Modified: June 6, 2024, 8:07 a.m.

Indicators

  • http://withupdate.com
  • http://irreceiver.com
  • http://goingupdate.com
  • http://badbutperfect.com
  • http://backupitfirst.com
  • http://buassinnndm.net
  • irreceiver.com
  • goingupdate.com
  • badbutperfect.com
  • buassinnndm.net
  • withupdate.com
  • backupitfirst.com
Download all indicators here!

Attack Patterns

  • DarkGate
  • DarkGate
  • T1568
  • T1484
  • T1497
  • T1574
  • T1547
  • T1518
  • T1027
  • T1566
  • T1059

Additional Informations

  • Healthcare
  • Telecommunications
  • United States of America