June 4, 2024 at 03:00AM
The DarkGate malware-as-a-service (MaaS) operation has shifted to using an AutoHotkey mechanism for delivering its final stages, underscoring ongoing efforts to evade detection. Developed by RastaFarEye, it includes remote access trojan (RAT) capabilities and various malicious modules. Cyber criminals have been found abusing Docusign for phishing and business email compromise (BEC) scams.
From the meeting notes on the Newsroom Vulnerability/Threat Intelligence, we have gathered the following key points:
1. Cyber attacks involving the DarkGate malware-as-a-service (MaaS) operation have shifted from AutoIt scripts to an AutoHotkey mechanism for delivering the last stages. This demonstrates the continuous efforts by threat actors to stay ahead of detection.
2. Version 6 of DarkGate, released in March 2024, shows updates by its developer RastaFarEye, who sells the program on a subscription basis to around 30 customers. The malware has been active since at least 2018.
3. DarkGate is a fully-featured remote access trojan (RAT) with command-and-control (C2) and rootkit capabilities. It includes modules for credential theft, keylogging, screen capturing, and remote desktop.
4. McAfee Labs documented DarkGate’s switch to AutoHotKey in late April 2024 and detailed attack chains leveraging security flaws to bypass Microsoft Defender SmartScreen protections using Excel or HTML attachments in phishing emails.
5. The latest version of DarkGate includes substantial upgrades to its configuration, evasion techniques, and supported commands, such as audio recording, mouse control, and keyboard management features. Some features from previous versions, like privilege escalation and cryptomining, have been removed, possibly to avoid detection.
6. Cyber criminals have been abusing Docusign by selling legitimate-looking customizable phishing templates on underground forums, turning the service into a fertile ground for phishing and business email compromise (BEC) scams.
We hope these takeaways provide the necessary information from the meeting notes. Let us know if further clarification is required.