The DarkGate Malware-as-a-Service (MaaS) operation are now using AutoHotkey to deliver the last stages of cyber attacks. Read this Cybersecurity Threat Advisory to learn more about this advanced tactic and how to mitigate your risks.
What is the threat?
DarkGate, a commodity MaaS, released a full featured remote access trojan (RAT) that is equipped with command-and-control (C2) and rootkit capabilities. It incorporates various modules for credential theft, keylogging, screen capturing, and remote desktop. The specific software vulnerabilities exploited by DarkGate are not publicly disclosed, but its ability to target multiple operating systems including Windows, macOS, and Linux makes this a significant concern for organizations and individuals alike.
Why is it noteworthy?
DarkGate utilizes various methods to exploit vulnerabilities and infiltrate systems. This includes leveraging Excel files with embedded macros as conduits to execute a Visual Basic Script file responsible for invoking PowerShell commands to launch an AutoHotkey script. This intricate process ultimately retrieves and decodes the DarkGate payload from a text file. The complexity of these techniques highlights the sophistication and adaptability of DarkGate’s attack vectors.
What is the exposure or risk?
The customization of DarkGate’s features based on customer preferences underscores the tailored nature of its attacks. These may vary in scope and sophistication. The latest version of DarkGate has introduced significant upgrades to its configuration, evasion techniques, and supported commands. These enhancements include features such as audio recording, mouse control, and keyboard management, while also removing some capabilities present in previous versions like privilege escalation, cryptomining, and hVNC (Hidden Virtual Network Computing) features. This strategic adjustment may be aimed at reducing detection risks and catering to the specific needs of DarkGate’s customer base, which is limited to a select group of individuals.
What are the recommendations?
Barracuda MSP recommends the following actions to keep your systems protected against this threat:
- Enforce strict controls on PowerShell command execution to prevent unauthorized access and minimize the risk of exploitation.
-
Monitor and block AutoHotkey scripts that could potentially launch DarkGate payloads. This can be achieved through Barracuda XDR’s network monitoring, endpoint detection, and behavioral analysis.
- Educate users on the dangers of phishing and malware attacks to prevent DarkGate infections. Provide regular training and awareness programs to teach users how to identify and report suspicious emails and attachments.
Reference
For more in-depth information about the recommendations, please visit the following link:
If you have any questions about this Cybersecurity Threat Advisory, please contact Barracuda XDR’s Security Operations Center.