DarkGate Malware Upgrades: Shifts from AutoIt to AutoHotkey in Recent Cyber Attacks

June 4, 2024

The DarkGate malware-as-a-service operation has shifted its script mechanism from AutoIt to AutoHotkey in its latest cyber attacks. This change was observed in the sixth version of DarkGate, released in March 2024 by its developer RastaFarEye. DarkGate, a fully-featured remote access trojan (RAT), is equipped with command-and-control (C2) and rootkit capabilities, and includes modules for stealing credentials, keylogging, capturing screens, and providing remote desktop access.

Trellix security researcher Ernesto Fernández Provecho noted, "DarkGate campaigns tend to adapt really fast, modifying different components to try to stay off security solutions." He also highlighted that this is the first time DarkGate has been discovered using AutoHotkey, a less commonly used scripting interpreter, to launch itself.

McAfee Labs initially reported DarkGate's switch to AutoHotkey in late April 2024. The malware exploits security vulnerabilities such as CVE-2023-36025 and CVE-2024-21412 to evade Microsoft Defender SmartScreen protections, often using a Microsoft Excel or an HTML attachment in phishing emails. Some methods have been discovered that use Excel files with embedded macros to execute a Visual Basic Script file, which then invokes PowerShell commands to launch an AutoHotkey script. This script retrieves and decodes the DarkGate payload from a text file.

DarkGate's latest version includes significant enhancements to its configuration, evasion techniques, and the range of supported commands, including new features for audio recording, mouse control, and keyboard management. Fernández Provecho noted that version 6 has removed some features from previous versions, such as privilege escalation, cryptomining, or hVNC, possibly to avoid detection. He also suggested that DarkGate's customers may not have been interested in these features, leading RastaFarEye to eliminate them.

The report comes as cyber criminals have been found exploiting Docusign by selling authentic-looking customizable phishing templates on underground forums. This has turned the service into a hotbed for phishers looking to steal credentials for phishing and business email compromise (BEC) scams. Abnormal Security stated, "These fraudulent emails, meticulously designed to mimic legitimate document signing requests, lure unsuspecting recipients into clicking malicious links or divulging sensitive information."

Related News

• Microsoft Addresses Two Exploited Zero-Days in April 2024 Patch Tuesday
• Microsoft's Record-Breaking Patch Tuesday: 147 New CVEs, No Zero-Days, but an Active Exploit
• Mispadu Banking Trojan Spreads Across Europe, Compromising Thousands of Credentials
• DarkGate Malware Campaign Exploits Recently Patched Microsoft Vulnerability in Zero-Day Attack
• CISA Adds Two Microsoft Windows Bugs to Its Known Exploited Vulnerabilities Catalog

Latest News

• Emergency Security Update Released by Zyxel for End-of-Life NAS Devices
• Oracle WebLogic Server Vulnerability Under Active Exploitation
• Critical Exploit Unveiled for Progress Telerik: Immediate Patch Required
• CISA Alerts on Actively Exploited Linux Kernel Vulnerability
• FlyingYeti Uses WinRAR Flaw to Deploy COOKBOX Malware in Ukraine