Today > | 5 Medium | 2 Low vulnerabilities   -   You can now download lists of IOCs here!

The Darkgate Menace: Leveraging Autohotkey & Attempt to Evade Smartscreen

May 1, 2024, 11:09 p.m.

Description

This report details a novel infection chain associated with DarkGate malware, a Remote Access Trojan (RAT) that exploits the AutoHotkey utility and attempts to bypass Microsoft Defender SmartScreen. The infection begins with an HTML-based entry point or an XLS file, utilizing techniques such as disguising malicious content as legitimate files. The attack chain involves downloading and executing various components, including VBScript, PowerShell scripts, and AutoHotkey scripts, ultimately leading to the execution of the DarkGate payload. The report also highlights the vulnerability CVE-2023-36025 and its exploitation to evade SmartScreen warnings, as well as persistence mechanisms employed by the malware.

Date

Published: April 30, 2024, 2:13 p.m.

Created: April 30, 2024, 2:13 p.m.

Modified: May 1, 2024, 11:09 p.m.

Indicators

dd7a8b55e4b7dc032ea6d6aed6153bec9b5b68b45369e877bb66ba21acc81455

897b0d0e64cf87ac7086241c86f757f3c94d6826f949a1f0fec9c40892c0cecb

6ed1b68de55791a6534ea96e721ff6a5662f2aefff471929d23638f854a80031

2e34908f60502ead6ad08af1554c305b88741d09e36b2c24d85fd9bac4a11d2f

2b296ffc6d173594bae63d37e2831ba21a59ce385b87503710dc9ca439ed7833

4de0e0e7f23adc3dd97d498540bd8283004aa131a59ae319019ade9ddef41795

1a960526c132a5293e1e02b49f43df1383bf37a0bbadd7ba7c106375c418dad4

196bb36f7d63c845afd40c5c17ce061e320d110f28ebe8c7c998b9e6b3fe1005

10e362e18c355b9f8db9a0dbbc75cf04649606ef96743c759f03508b514ad34e

038db3b838d0cd437fa530c001c9913a1320d1d7ac0fd3b35d974a806735c907

45.89.53.187

5.252.177.207

170.130.55.130

103.124.106.237

withupdate.com

Attack Patterns

DarkGate

DarkGate

T1086

T1053.005

T1059.005

T1497.001

T1059.003

T1547.001

T1059.007

T1552

T1497

T1562.001

T1204.002

T1547

T1204

T1027

T1053

T1562

T1059