In the ever-evolving cyber threat landscape, law enforcement agencies have seen progress in uncovering DarkGate, malware developers, threat actors and forum managers.
At the same time, they have increasingly taken control of command-and-control servers, disrupting malware distribution networks. In this dynamic environment, the emergence of new players and the adaptation of existing players is no coincidence. A recent example of this evolution is the emergence of morphing malware, which shows threat actors changing names and modifying malware families. Following the dismantling of the Qbot infrastructure, the spread of DarkGate has increased significantly, highlighting the ongoing evolution of cyber threats.
DarkGate, PikaBot and Qakbot
Cofense has found similarities between DarkGate and PikaBot phishing campaigns that rely on Qakbot techniques. This indicates possible unknown connections or adaptations of existing techniques and highlights the complexity of modern cyber threats. DarkGate, also known as MehCrypter, acts as both a loader malware and a RAT and therefore can perform various malicious actions. These include the theft of sensitive data and the use of cryptocurrency miners. The malware is primarily distributed through phishing, often via topics related to browser updates, as well as through malvertising and SEO poisoning. A special feature is the use of Autolt, a scripting language for automating Windows GUI and common scripting tasks. This feature allows users to create scripts that automate tasks such as key presses and mouse movements, which is particularly useful for software installation and system administration.
The malware is also distributed via fake browser update themes. Phishing URLs and traffic distribution systems are used to download the malicious payload. The spread of the malware was also observed via Microsoft Teams, where attackers posed as a company CEO and sent Teams invites as part of their deception tactics. Using endpoint protection systems to detect and block malware is critical, as the DarkGate example shows.
More at Logpoint.com
About Logpoint Logpoint is the manufacturer of a reliable, innovative platform for cybersecurity operations. With the combination of advanced technology and a deep understanding of customers' challenges, Logpoint strengthens the capabilities of security teams and helps them combat current and future threats. Logpoint offers SIEM, UEBA, SOAR and SAP security technologies that converge into a complete platform that efficiently detects threats, minimizes false positives, autonomously prioritizes risks, responds to incidents and more.