DarkGate Malware Avoids Endpoint AV Detection

What Is It?

Researchers at enSilo have released a blog post describing a new malware campaign, named DarkGate.

DarkGate is capable of stealing crypto wallets, enabling remote control of the infected system, performing key logging and installing ransomware and cryptocurrency miners. The campaign is affecting users mainly in France and Spain. It is spread by malicious torrent files, which can result in the sending of spam containing malicious attachments. The DarkGate malware uses several techniques designed to evade endpoint AV detection, which appear to be effective given the low detection scores for DarkGate samples on VirusTotal.

In a somewhat uncommon situation, the DarkGate command and control (C2) infrastructure is actively monitored in real time by attackers. The researchers found that when a newly infected system reports that a cryptocurrency wallet is present, a custom remote access tool is installed to allow the attackers to investigate the system further. They also report that when a test system was infected with DarkGate, the attackers reacted by infecting that system with custom ransomware.

The DarkGate malware is a large Visual Basic Script (VBS) file, which drops four files that are encoded within it and uses them in a multi-stage process. The first stage is to run a dropped AutoIt script, using the dropped AutoIt executable. The AutoIt script creates a shortcut in the system’s startup folder to ensure the malware survives rebooting of the infected system and decrypts binary code which is then inserted into memory and executed. In the final stage, this code reads the final dropped file, decrypts it and injects it into memory. How the final stage is injected into memory differs, depending on whether Kaspersky AV is installed.

DarkGate is clearly designed to not be detected by AV solutions and uses several techniques to attempt to evade detection by endpoint AV solutions. During the multi-stage unpacking process, code is injected using a technique known as “process hollowing,” which loads a legitimate application and replaces its code. DarkGate reports the presence of various AV tools via its C2 communication channel and takes specific actions if IOBit, Trend Micro or Kaspersky are installed. It also looks for MalwareBytes Adwcleaner or Farbar Recovery Scan Tool and, if found, rewrites the malware files every 20 seconds to ensure they will not be deleted. The malware also uses a sophisticated method of calling system functions which makes it less likely to appear suspicious to endpoint AV.

AV isn’t the only solution that DarkGate tries to detect. As analysis systems and sandboxes, both automated and manual, generally have less system resources than normal systems, DarkGate determines if it is running in a VM if the system it is running on has less than 101GB of hard disk space and no more than 4GB of RAM. If the system meets those conditions, the malware will delete itself without executing any further.

How Does It Propagate?

The malware does not contain the necessary code to self-propagate. The malware utilizes two infection vectors, the first are torrent files which claim to be popular television episodes or movies but are actually encoded Visual Basic Scripts (.vbe files). The second vector is a spam email claiming to be a failed delivery notification. The email contains a malicious attachment, sent by another encoded Visual Basic Script file claiming to be a torrent.

When/How Did BluVector Detect It?

The enSilo report contains 12 publicly available samples and BluVector’s patented Machine Learning Engine (MLE) detected them all. Regression testing has shown that the samples would have been detected, on average, 5 months prior to their release. These samples contain various techniques designed to evade endpoint AV detection, however these techniques have no effect on BluVector’s detection efficacy at the network level.

All Threat Reports