DarkGate switches up its tactics with new payload, email templates
June 6, 2024, 8:07 a.m.
Tags
External References
Description
This analysis delves into a recent surge of malicious email campaigns by the DarkGate threat actor, employing novel tactics to distribute malware. These campaigns leverage a technique called 'Remote Template Injection' to bypass security controls and deceive recipients into executing malicious code embedded within seemingly innocuous Excel attachments. Notably, the actor has transitioned from utilizing AutoIT scripts to AutoHotKey scripting, executing the final DarkGate payload directly in memory, without writing it to disk. This continuous evolution in infection chains demonstrates the actor's adaptability and determination to evade detection.
Date
Published: June 6, 2024, 7:26 a.m.
Created: June 6, 2024, 7:26 a.m.
Modified: June 6, 2024, 8:07 a.m.
Indicators
http://withupdate.com
http://irreceiver.com
http://goingupdate.com
http://badbutperfect.com
http://backupitfirst.com
http://buassinnndm.net
irreceiver.com
goingupdate.com
badbutperfect.com
buassinnndm.net
withupdate.com
backupitfirst.com
Attack Patterns
DarkGate
DarkGate
T1568
T1484
T1497
T1574
T1547
T1518
T1027
T1566
T1059
Additional Informations
Healthcare
Telecommunications
United States of America