In July 2023, we observed a malvertising campaign that lured potential victims to a fraudulent site for a Windows IT management tool. Unlike previous similar attacks, the final payload was packaged differently and not immediately recognizable.
The decoy file came as an MSI installer containing an AutoIT script where the payload was obfuscated to avoid detection. Upon analysis and comparison, we determined that this sample was an updated version of DarkGate, a multi purpose malware toolkit first identified in 2018.
Since the malware's obfuscation and encryption features have been recently documented by other researchers, we will focus on two of its web delivery methods, namely the use of malicious ads and search engine poisoning.
The campaigns we observed coincide with an announcement from DarkGate's developer in June as well, boasting about the malware's new capabilities and limited customer seats.
In its debut back in 2018 and later in 2020, DarkGate (also known as MehCrypter) was distributed via torrent sites and mostly focused on European victims and Spanish users in particular. The original blog post from enSilo (now Fortinet) also notes that its author may have been using email to spread malicious attachments.
In June 2023, a threat actor going by the handle RastaFarEye posted an advertisement in the XSS underground forum about a project known as DarkGate. As detailed by the ZeroFox Dark Ops intelligence team, the new version includes certain key features to evade detection while offering the expected credential stealing capabilities. The cost ($100K/year) and limited availability (10 customers) make DarkGate somewhat of an elusive toolkit.
Photo credit: ZeroFox Dark Ops intelligence team
Two blog posts came out in early August, identifying new DarkGate attacks:
- Aon's Stroz Friedberg Incident Response Services details how they encountered a recent incident from a group similar to ScatteredSpider (UNC3944) that was using this new version of DarkGate.
- Researcher 0xToxin wrote about phishing emails distributing a loader leading to DarkGate, with a complete technical analysis of the malware.
While investigating malvertising campaigns, we observed the following Google ad on on July 13, 2023:
Advanced IP Scanner is a popular tool used by IT administrators. Victims who click on the ad are presented with a decoy site:
The downloaded file (Advanced_IP_Scanner_2.5.4594.1.msi) is an installer that contains the legitimate Advanced IP Scanner binary but also some extra files that are unpacked in the %temp% folder upon execution:
We recognize the familiar use of AutoIT which was already present in the very early versions of DarkGate.
Note: The same threat actor was also serving malicious ads via Bing as documented by Cyberuptive on August 8, 2023.
SEO poisoning is an old technique used by various threat actors and scammers who attempt to game search engines' ranking system. Although it takes a little more time to roll out, it is an effective way to trick users into visiting malicious sites.
The following search result appeared on Google:
The domain advancedscanner[.]link was created on 2023-07-28 and is used to redirect to the decoy page hosted at ipadvancedscanner[.]com. The downloaded file, IPAVSCAN_win_vers_1.1.3.msi, also has the same AutoIt encrypted payload:
Anti-VM and other checks
We noticed that several of the newly registered domains associated with these campaigns had implemented advanced fingerprinting checks. We recently documented this trend which could soon become the norm due to its ease of use.
Here's another lure, this time for Angry IP Scanner, with a domain (ipangry[.]com registered 2023-07-29):
The payload, angry_win_0.47_installer.msi and its AutoIt script:
By using a combination of evasion techniques, the threat actors behind these campaigns are able to distribute DarkGate with a minimal system footprint. They are also diversifying their delivery techniques by leveraging malspam, malvertising and SEO poisoning.
Malwarebytes' anti-malware engine detects this malware as Backdoor.DarkGate and our web protection blocks its known command and control servers.
Malwarebytes for Business (EDR) customers may also see the following alerts:
Indicators of Compromise
SEO poisoning campaign