Français
Deutsch
Español
Italiano
Português
日本語
한국어
Русский
Best Concrete Sealers to Protect and Enhance Your Surfaces
Aug 14, 2023Dynapac's new F1250CS Plus paver has optional remote control
Aug 13, 2023LeeBoy introduces 8608 heavy commercial paver
Aug 11, 2023Integrative Sciences Building Headlines Campus Construction Projects
Aug 07, 2023Forklift falls onto operator on Logan Airport tarmac
Jun 27, 2023DarkGate Loader Delivered Through Stolen Email Threads
Aug 02, 2023The research revealed high malspam activity of DarkGate malware distributed via phishing emails to the users either through MSI files or VBs script payloads.
Darkgate malware has been active since 2018 and has the ability to download and execute files to memory, a Hidden Virtual Network Computing (HVNC) module, keylogging, information-stealing capabilities, and privilege escalation.
A user RastaFarEye has been advertising DarkGate Loader on the xss[.]is an exploit[.]in cybercrime forums since June 16, 2023, with different pricing models.
“The current spike in DarkGate malware activity is plausible given the fact that the developer of the malware has recently started to rent out the malware to a limited number of affiliates,” Telekom Security said.
Initially, phishing emails distributed the payload with either the MSI variant or the VBScript variant.
The attack commences from clicking on the phishing URL which redirects the user to the phishing site via a Traffic distribution system(TDS).
Subsequently, the MSI file will be downloaded, which executes the AutoIt script to execute a shellcode that acts as a conduit to decrypt and launch DarkGate via a crypter (or loader).
Whereas Visual Basic Script payload uses cURL to retrieve the AutoIt executable and script file to execute the malware.
On successful initialization of darkgate malware, the malware will write a copy of itself to disk and create a registry run key to persist execution between reboots.
It also can terminate the process when it gets detected by the AV and alters its behavior according to the well-known AV product.
The malware can query different data sources to obtain information about the operating system, the logged-on user, the currently running programs, and other things.
The malware uses multiple legitimate freeware tools published by Nirsoft to extract confidential data.
The malware periodically polls the C2 server for new instructions, executes the received commands, and finally sends back the results to the C2 server.
Keep informed about the latest Cyber Security News by following us on Google News, Linkedin, Twitter, and Facebook.
Save my name, email, and website in this browser for the next time I comment.
Attack ExecutionIOCKeep informed about the latest Cyber Security News by following us on Google News, Linkedin, Twitter, and Facebook.