DarkGate Operators (RastaFarEye)
According to public reporting, DarkGate is a Malware-as-a-Service offering by a forum user named RastaFarEye.
The DarkGate Loader includes exploitation of vulnerabilities, cryptocurrency mining, remote access and continues to evolve over time. DarkGate has been picked up by multiple financially motivated groups, including those associated with ransomware.
Cyber Threat Graph Context
Explore how this Intrusion Set relates to the wider threat graph
DarkGate Operators (RastaFarEye) Threat Reports
Detailed Analysis of DarkGate
This post on Medium by S2W presents a technical analysis of DarkGate malware and the operator behind it. According to the report, DarkGate is a ...
CVE-2024-21412: DarkGate Operators Exploit Microsoft Windows SmartScreen Bypass in Zero-Day Campaign
This report by TrendMicro's Zero Day Initiative describes a campaign associated with the DarkGate ransomware. According to the post, DarkGate ...
References
blog.eclecticiq.com
https://blog.eclecticiq.com/darkgate-opening-gates-for-financially-motivated-threat-actorswww.trendmicro.com
https://www.trendmicro.com/en_us/research/24/c/cve-2024-21412--darkgate-operators-exploit-microsoft-windows-sma.htmlmedium.com
https://medium.com/s2wblog/detailed-analysis-of-darkgate-investigating-new-top-trend-backdoor-malware-0545ecf5f606socradar.io
https://socradar.io/darkgate-malware-exploring-threats-and-countermeasures/www.trendmicro.com
https://www.trendmicro.com/en_us/research/23/j/darkgate-opens-organizations-for-attack-via-skype-teams.htmlMITRE ATT&CK Techniques
MITRE ATT&CK techniques observed in use by this intrusion set.
| ATT&CK ID | Title | Associated Tactics |
|---|---|---|
| T1068 | Exploitation for Privilege Escalation | Privilege Escalation |
| T1071.001 | Web Protocols | Command and Control |
| T1219 | Remote Access Software | Command and Control |
| T1057 | Process Discovery | Discovery |
| T1529 | System Shutdown/Reboot | Impact |
| T1005 | Data from Local System | Collection |
| T1070.004 | File Deletion | Defense Evasion |
| T1566.001 | Spearphishing Attachment | Initial Access |
| T1555.003 | Credentials from Web Browsers | Credential Access |
| T1560.001 | Archive via Utility | Collection |
| T1547.001 | Registry Run Keys / Startup Folder | Persistence, Privilege Escalation |
| T1555 | Credentials from Password Stores | Credential Access |
| T1083 | File and Directory Discovery | Discovery |
| T1204.002 | Malicious File | Execution |
| T1217 | Browser Information Discovery | Discovery |
| T1134.004 | Parent PID Spoofing | Defense Evasion, Privilege Escalation |
| T1528 | Steal Application Access Token | Credential Access |
| T1082 | System Information Discovery | Discovery |
| T1041 | Exfiltration Over C2 Channel | Exfiltration |
| T1132.002 | Non-Standard Encoding | Command and Control |
| T1539 | Steal Web Session Cookie | Credential Access |
| T1055.012 | Process Hollowing | Defense Evasion, Privilege Escalation |
| T1056.001 | Keylogging | Collection, Credential Access |
| T1105 | Ingress Tool Transfer | Command and Control |
| T1574.002 | DLL Side-Loading | Defense Evasion, Persistence, Privilege Escalation |