One of the primary propagation methods for Darkgate is phishing emails. By hijacking email accounts, distributing malicious attachment and it propagate itself to a wider network of potential victims. Darkgate uses some of the most common attachment filetypes such as XLSX, HTML and PDF. It is often designed to be stealthy and persistent, making it challenging to detect and remove. It may result in the loss of personal data, financial loss through fraud or extortion, and compromise of sensitive information.

This post provides a detailed examination of a recent Darkgate campaign identified by Forcepoint's X-Labs research team. The campaign commences with the initiation of attacks via a compromised email, featuring an invoice purportedly from 'Intuit Quickbooks' in PDF format. It prompts users to install Java to view the invoice, providing a link. Upon clicking the link, users are redirected to a geofenced URL where they inadvertently download the subsequent stage payload.

Through a comprehensive analysis of a suspicious PDF file named "may-document_[number].pdf", it reveals an invoice document containing an XObject large image with an embedded hyperlink. Upon user interaction with the hyperlink, it triggers the download of a malicious .jar (Java Archive) file.

The URLs associated with this malicious activity follow a historical pattern, featuring domains and single paths reminiscent of those previously utilized by QakBot threat actors.

When inspecting the subsequently downloaded JAR file using JD-GUI, it revealed a .PNG file and a

<random-name>.class file. Within this class file, there exists a Java function aiming to download a .ZIP file to the directory 'C:\Downloads\' through an obfuscated 'curl.exe' command. Upon successful download of the ZIP file, it triggers PowerShell to extract its contents using the 'expand-archive' command.

The JAR's class file additionally features another function designed to download and store files with the

.MSI extension. Upon extraction of the downloaded ZIP file, it reveals 'autoit3.exe' and a compiled AutoIt script with the '.a3x' extension. Subsequently, the JAR file executes an obfuscated 'cmd /c' command to run this compiled AutoIt script. It's noteworthy that DarkGate has a history of leveraging AutoIt in its previous campaigns. The script appears to have been compiled with AutoIt version 3.26 or later, as indicated by the header 'AU3!EA06'.

The decompiled script reveals obfuscated AutoIt functions such as BITXOR and BinaryToString(), which are employed to obscure the script's functionality. It attempts to store a large stream of data in a local variable through concatenation operations. Additionally, DLLSTRUCTCREATE() and DLLSTRUCTSETDATA() functions are utilized to create a structure and load bytes into memory, likely for manipulation or interaction with system resources.

Initial Stage URLs:

• afarm[.]net/uvz2q
• affixio[.]com/emh0c
• affiliatebash[.]com/myu0f
• afcmanager[.]net/jxk6m
• adventsales[.]co[.]uk/iuw8a
• amikamobile[.]com/ayu4d
• adztrk[.]com/ixi7r
• aerospaceavenue[.]com/cnz8g
• amishwoods[.]com/jwa4v

Second stage URL:

• smbeckwithlaw[.]com/1[.]zip

C2:

• ​kindupdates[.]com

Forcepoint is the leading user and data protection cybersecurity company, entrusted to safeguard organizations while driving digital transformation and growth. Our solutions adapt in real-time to how people interact with data, providing secure access while enabling employees to create value.