Cyber Threat Report: 'Detailed Analysis of DarkGate'
| Report Author | S2W |
|---|---|
| Publication Date | 2024-01-16 |
| Original Reporting | Source |
| Related Intrusion Sets | DarkGate Operators (RastaFarEye) |
| Identified CVEs | CVE-2021-1733 |
This post on Medium by S2W presents a technical analysis of DarkGate malware and the operator behind it. According to the report, DarkGate is a backdoor malware developed since 2017 and sold as Malware-as-a-Service, gaining popularity in 2021 with continuous feature updates and detection bypasses. It enables remote code execution, data exfiltration, cryptocurrency mining, privilege escalation, and persistence management. The post states that DarkGate is mainly distributed via VBScript or MSI, using techniques like DLL Side-loading and AutoIT scripts for execution.
Cyber Threat Graph Context
Explore how this report relates to the wider threat graph
Mitigations to defend against the techniques in this report
Exploit Protection
Use capabilities to detect and block conditions that may lead to or be indicative of a software exploit occurring.Update Software
Perform regular software updates to mitigate exploitation risk.Threat Intelligence Program
A threat intelligence program helps an organization generate their own threat intelligence information and track trends to inform defensive priorities to mitigate risk.Application Isolation and Sandboxing
Restrict execution of code to a virtual environment on or in transit to an endpoint system.Execution Prevention
Block execution of code on a system through application control, and/or script blocking.Network Intrusion Prevention
Use intrusion detection signatures to block traffic at network boundaries.Filter Network Traffic
Use network appliances to filter ingress or egress traffic and perform protocol-based filtering. Configure software on endpoints to filter network traffic.Data Loss Prevention
Use a data loss prevention (DLP) strategy to categorize sensitive data, identify data formats indicative of personal identifiable information (PII), and restrict exfiltration of sensitive data.(Citation: PurpleSec Data Loss Prevention)Restrict Web-Based Content
Restrict use of certain websites, block downloads/attachments, block Javascript, restrict browser extensions, etc.Software Configuration
Implement configuration changes to software (other than the operating system) to mitigate security risks associated to how the software operates.Antivirus/Antimalware
Use signatures or heuristics to detect malicious software.User Training
Train users to be aware of access or manipulation attempts by an adversary to reduce the risk of successful spearphishing, social engineering, and other techniques that involve user interaction.Password Policies
Set and enforce secure password policies for accounts.Audit
Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.Privileged Account Management
Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.Behavior Prevention on Endpoint
Use capabilities to prevent suspicious behavior patterns from occurring on endpoint systems. This could include suspicious process, file, API call, etc. behavior.User Account Management
Manage the creation, modification, use, and permissions associated to user accounts.Multi-factor Authentication
Use two or more pieces of evidence to authenticate to a system; such as username and password in addition to a token from a physical smart card or token generator.Identified MITRE ATT&CK Techniques
| ATT&CK ID | Title | Associated Tactics |
|---|---|---|
| T1068 | Exploitation for Privilege Escalation | Privilege Escalation |
| T1071.001 | Web Protocols | Command and Control |
| T1219 | Remote Access Software | Command and Control |
| T1057 | Process Discovery | Discovery |
| T1529 | System Shutdown/Reboot | Impact |
| T1005 | Data from Local System | Collection |
| T1070.004 | File Deletion | Defense Evasion |
| T1566.001 | Spearphishing Attachment | Initial Access |
| T1555.003 | Credentials from Web Browsers | Credential Access |
| T1560.001 | Archive via Utility | Collection |
| T1547.001 | Registry Run Keys / Startup Folder | Persistence, Privilege Escalation |
| T1555 | Credentials from Password Stores | Credential Access |
| T1083 | File and Directory Discovery | Discovery |
| T1204.002 | Malicious File | Execution |
| T1217 | Browser Information Discovery | Discovery |
| T1134.004 | Parent PID Spoofing | Defense Evasion, Privilege Escalation |
| T1528 | Steal Application Access Token | Credential Access |
| T1082 | System Information Discovery | Discovery |
| T1041 | Exfiltration Over C2 Channel | Exfiltration |
| T1132.002 | Non-Standard Encoding | Command and Control |
| T1539 | Steal Web Session Cookie | Credential Access |
| T1055.012 | Process Hollowing | Defense Evasion, Privilege Escalation |
| T1056.001 | Keylogging | Collection, Credential Access |