DarkGate Malware Adopts AutoHotkey in New Cyber Attacks

In recent cyber attacks, the DarkGate malware-as-a-service (MaaS) operation has transitioned from using AutoIt scripts to an AutoHotkey mechanism for its final payload delivery. This change highlights the ongoing efforts of threat actors to evade detection.

Version 6 of DarkGate, released in March 2024 by developer RastaFarEye, showcases this update. RastaFarEye has been offering DarkGate on a subscription basis to about 30 customers since at least 2018. DarkGate is a comprehensive remote access trojan (RAT) equipped with command-and-control (C2) and rootkit capabilities, including modules for credential theft, keylogging, screen capturing, and remote desktop access.

The switch to AutoHotkey was first identified by McAfee Labs in late April 2024. Attack chains have exploited vulnerabilities like CVE-2023-36025 and CVE-2024-21412 to bypass Microsoft Defender SmartScreen protections using Microsoft Excel or HTML attachments in phishing emails.

Alternate methods involve using Excel files with embedded macros to execute a Visual Basic Script file, which invokes PowerShell commands to launch an AutoHotkey script. This script then retrieves and decodes the DarkGate payload from a text file.

The latest version of DarkGate includes significant upgrades to its configuration, evasion techniques, and command list. New features include audio recording, mouse control, and keyboard management, while some features from previous versions, such as privilege escalation, cryptomining, and hVNC, have been removed. Fernández Provecho suggests this might be to reduce detection risks or due to customer preferences.

Additionally, cybercriminals are exploiting Docusign by selling realistic phishing templates on underground forums. These templates mimic legitimate document signing requests, tricking recipients into clicking malicious links or revealing sensitive information, according to Abnormal Security.

To protect against DarkGate malware attacks, organizations should ensure their software and operating systems are up to date, apply patches for known vulnerabilities like CVE-2023-36025 and CVE-2024-21412, and enforce strong email security practices. Utilizing advanced threat detection systems and educating employees on recognizing phishing attempts can further enhance security.