DarkGate Malware Replaces AutoIt with AutoHotkey in Latest Cyber Attacks (6th June 2024)

Ref# AL2024_08 | Date: Jun 6th 2024

Description 

The DarkGate malware-as-a-service (MaaS) operation has transitioned from using AutoIt scripts to an AutoHotkey mechanism in its latest cyberattacks. This change highlights the persistent efforts of threat actors to stay ahead of detection technologies.  

Details 

The recent shift was observed in version 6 of DarkGate, released in March 2024. DarkGate is a sophisticated remote access trojan (RAT) with capabilities such as command-and-control (C2), rootkit functionalities, credential theft, keylogging, screen capturing, and remote desktop access. According to Trellix security researcher Ernesto Fernández Provecho, DarkGate campaigns adapt rapidly, modifying components to evade security solutions. This is the first known instance of DarkGate using AutoHotkey, a relatively uncommon scripting interpreter, to launch its payload. 

McAfee Labs first documented the switch to AutoHotkey in late April 2024. The attack chains exploit security vulnerabilities like CVE-2023-36025 and CVE-2024-21412 to bypass Microsoft Defender SmartScreen protections using Microsoft Excel or HTML attachments in phishing emails. Alternate methods involve leveraging Excel files with embedded macros to execute a Visual Basic Script file. This file invokes PowerShell commands to launch an AutoHotkey script, which retrieves and decodes the DarkGate payload from a text file. 

Version 6 of DarkGate includes significant updates to its configuration, evasion techniques, and supported commands. New features include audio recording, mouse control, and keyboard management, while some previous features like privilege escalation, cryptomining, and hidden virtual network computing (hVNC) have been removed. This may be an attempt to reduce detection risks or to tailor the malware to the preferences of its customers. 

 

 

Indicators of Compromise (IoCs) 

Organizations should monitor for the following indicators of compromise: 

  • Unexpected use of AutoHotkey scripts in their environment. 
  • Exploitation attempts involving CVE-2023-36025 and CVE-2024-21412. 
  • Phishing emails containing Microsoft Excel or HTML attachments with malicious macros. 
  • Network traffic involving connections to known DarkGate C2 servers. 

Remediation: 

To mitigate the risk posed by DarkGate, organizations can: 

  • Implement robust email filtering to block phishing attempts. 
  • Apply patches for known vulnerabilities CVE-2023-36025 and CVE-2024-21412. 
  • Monitor for unusual use of AutoHotkey scripts and related suspicious activities. 
  • Educate employees on the risks of phishing emails and the importance of not enabling macros in unsolicited documents. 
  • Deploy advanced threat detection solutions to identify and respond to sophisticated malware activities. 

The Guyana National CIRT recommends that users and administrators review this alert and apply it where necessary. 

PDF Download: DarkGate Malware Replaces AutoIt with AutoHotkey in Latest Cyber Attacks

References 

Newsroom. (2024, June 4). DarkGate Malware Replaces AutoIt with AutoHotkey in Latest Cyber Attacks. Retrieved from Hackers News 

https://thehackernews.com/2024/06/darkgate-malware-replaces-autoit-with.html?m=1