The Darkgate Menace: Leveraging Autohotkey & Attempt to Evade Smartscreen
May 1, 2024, 11:09 p.m.
Description
This report details a novel infection chain associated with DarkGate malware, a Remote Access Trojan (RAT) that exploits the AutoHotkey utility and attempts to bypass Microsoft Defender SmartScreen. The infection begins with an HTML-based entry point or an XLS file, utilizing techniques such as disguising malicious content as legitimate files. The attack chain involves downloading and executing various components, including VBScript, PowerShell scripts, and AutoHotkey scripts, ultimately leading to the execution of the DarkGate payload. The report also highlights the vulnerability CVE-2023-36025 and its exploitation to evade SmartScreen warnings, as well as persistence mechanisms employed by the malware.
Tags
Date
- Created: April 30, 2024, 2:13 p.m.
- Published: April 30, 2024, 2:13 p.m.
- Modified: May 1, 2024, 11:09 p.m.
Indicators
- dd7a8b55e4b7dc032ea6d6aed6153bec9b5b68b45369e877bb66ba21acc81455
- 897b0d0e64cf87ac7086241c86f757f3c94d6826f949a1f0fec9c40892c0cecb
- 6ed1b68de55791a6534ea96e721ff6a5662f2aefff471929d23638f854a80031
- 2e34908f60502ead6ad08af1554c305b88741d09e36b2c24d85fd9bac4a11d2f
- 2b296ffc6d173594bae63d37e2831ba21a59ce385b87503710dc9ca439ed7833
- 4de0e0e7f23adc3dd97d498540bd8283004aa131a59ae319019ade9ddef41795
- 1a960526c132a5293e1e02b49f43df1383bf37a0bbadd7ba7c106375c418dad4
- 196bb36f7d63c845afd40c5c17ce061e320d110f28ebe8c7c998b9e6b3fe1005
- 10e362e18c355b9f8db9a0dbbc75cf04649606ef96743c759f03508b514ad34e
- 038db3b838d0cd437fa530c001c9913a1320d1d7ac0fd3b35d974a806735c907
- 45.89.53.187
- 5.252.177.207
- 170.130.55.130
- 103.124.106.237
- withupdate.com
Attack Patterns
- DarkGate
- DarkGate
- T1086
- T1053.005
- T1059.005
- T1497.001
- T1059.003
- T1547.001
- T1059.007
- T1552
- T1497
- T1562.001
- T1204.002
- T1547
- T1204
- T1027
- T1053
- T1562
- T1059