The Darkgate Menace: Leveraging Autohotkey & Attempt to Evade Smartscreen
May 1, 2024, 11:09 p.m.
Tags
External References
Description
This report details a novel infection chain associated with DarkGate malware, a Remote Access Trojan (RAT) that exploits the AutoHotkey utility and attempts to bypass Microsoft Defender SmartScreen. The infection begins with an HTML-based entry point or an XLS file, utilizing techniques such as disguising malicious content as legitimate files. The attack chain involves downloading and executing various components, including VBScript, PowerShell scripts, and AutoHotkey scripts, ultimately leading to the execution of the DarkGate payload. The report also highlights the vulnerability CVE-2023-36025 and its exploitation to evade SmartScreen warnings, as well as persistence mechanisms employed by the malware.
Date
Published: April 30, 2024, 2:13 p.m.
Created: April 30, 2024, 2:13 p.m.
Modified: May 1, 2024, 11:09 p.m.
Indicators
dd7a8b55e4b7dc032ea6d6aed6153bec9b5b68b45369e877bb66ba21acc81455
897b0d0e64cf87ac7086241c86f757f3c94d6826f949a1f0fec9c40892c0cecb
6ed1b68de55791a6534ea96e721ff6a5662f2aefff471929d23638f854a80031
2e34908f60502ead6ad08af1554c305b88741d09e36b2c24d85fd9bac4a11d2f
2b296ffc6d173594bae63d37e2831ba21a59ce385b87503710dc9ca439ed7833
4de0e0e7f23adc3dd97d498540bd8283004aa131a59ae319019ade9ddef41795
1a960526c132a5293e1e02b49f43df1383bf37a0bbadd7ba7c106375c418dad4
196bb36f7d63c845afd40c5c17ce061e320d110f28ebe8c7c998b9e6b3fe1005
10e362e18c355b9f8db9a0dbbc75cf04649606ef96743c759f03508b514ad34e
038db3b838d0cd437fa530c001c9913a1320d1d7ac0fd3b35d974a806735c907
45.89.53.187
5.252.177.207
170.130.55.130
103.124.106.237
Attack Patterns
DarkGate
DarkGate
T1086
T1053.005
T1059.005
T1497.001
T1059.003
T1547.001
T1059.007
T1552
T1497
T1562.001
T1204.002
T1547
T1204
T1027
T1053
T1562
T1059