DarkGate Malware Upgrades: Shifts from AutoIt to AutoHotkey in Recent Cyber Attacks

June 4, 2024

The DarkGate malware-as-a-service operation has shifted its script mechanism from AutoIt to AutoHotkey in its latest cyber attacks. This change was observed in the sixth version of DarkGate, released in March 2024 by its developer RastaFarEye. DarkGate, a fully-featured remote access trojan (RAT), is equipped with command-and-control (C2) and rootkit capabilities, and includes modules for stealing credentials, keylogging, capturing screens, and providing remote desktop access.

Trellix security researcher Ernesto Fernández Provecho noted, "DarkGate campaigns tend to adapt really fast, modifying different components to try to stay off security solutions." He also highlighted that this is the first time DarkGate has been discovered using AutoHotkey, a less commonly used scripting interpreter, to launch itself.

McAfee Labs initially reported DarkGate's switch to AutoHotkey in late April 2024. The malware exploits security vulnerabilities such as CVE-2023-36025 and CVE-2024-21412 to evade Microsoft Defender SmartScreen protections, often using a Microsoft Excel or an HTML attachment in phishing emails. Some methods have been discovered that use Excel files with embedded macros to execute a Visual Basic Script file, which then invokes PowerShell commands to launch an AutoHotkey script. This script retrieves and decodes the DarkGate payload from a text file.

DarkGate's latest version includes significant enhancements to its configuration, evasion techniques, and the range of supported commands, including new features for audio recording, mouse control, and keyboard management. Fernández Provecho noted that version 6 has removed some features from previous versions, such as privilege escalation, cryptomining, or hVNC, possibly to avoid detection. He also suggested that DarkGate's customers may not have been interested in these features, leading RastaFarEye to eliminate them.

The report comes as cyber criminals have been found exploiting Docusign by selling authentic-looking customizable phishing templates on underground forums. This has turned the service into a hotbed for phishers looking to steal credentials for phishing and business email compromise (BEC) scams. Abnormal Security stated, "These fraudulent emails, meticulously designed to mimic legitimate document signing requests, lure unsuspecting recipients into clicking malicious links or divulging sensitive information."

Related News

Latest News

Like what you see?

Get a digest of headlines, vulnerabilities, risk context, and more delivered to your inbox.

Subscribe Below

By submitting this form, you’re giving us permission to email you. You may unsubscribe at any time.

Accelerate Security Teams

Continuously identify and prioritize the risks that are most critical in your environment, and validate that your remediation efforts are reducing risk. An always-on single source-of-truth of your assets, services, and vulnerabilities.