Cyber operations utilizing the DarkGate malware-as-a-service (MaaS) operation have changed away from AutoIt scripts to an AutoHotkey method to deliver the latter stages, indicating persistent efforts on the side of the threat actors to consistently stay ahead of the detection curve.
The improvements have been noted in version 6 of DarkGate issued in March 2024 by its creator RastaFarEye, who has been selling the application on a subscription basis to as many as 30 clients. The malware has been active since at least 2018.
A fully-featured remote access trojan (RAT), DarkGate is armed with command-and-control (C2) and rootkit capabilities, and integrates several modules for credential theft, keylogging, screen capture, and remote desktop.
"DarkGate campaigns tend to adapt really fast, modifying different components to try to stay off security solutions," Trellix security expert Ernesto Fernández Provecho stated in a Monday report. "This is the first time we find DarkGate using AutoHotKey, a not so common scripting interpreter, to launch DarkGate."
It's worth noting that DarkGate's switch to AutoHotKey was first documented by McAfee Labs in late April 2024, with attack chains leveraging security flaws such as CVE-2023-36025 and CVE-2024-21412 to bypass Microsoft Defender SmartScreen protections using a Microsoft Excel or an HTML attachment in phishing emails.
Alternate methods have been found to leverage Excel files with embedded macros as a conduit to execute a Visual Basic Script file that's responsible for invoking PowerShell commands to ultimately launch an AutoHotKey script, which, in turn, retrieves and decodes the DarkGate payload from a text file.
The current version of DarkGate packs in considerable updates to its settings, evasion strategies, and the list of available commands, which now includes audio recording, mouse control, and keyboard management functions.
"Version 6 not only includes new commands, but also lacks some of them from previous versions, like the privilege escalation, the cryptomining, or the hVNC (Hidden Virtual Network Computing) ones," Fernández Provecho said, adding it may be an attempt to wipe away elements that may allow detection.
"Moreover, since DarkGate is sold to a small group of people, it is also possible that the customers were not interested in those features, forcing RastaFarEye to remove them."
The news comes as cyber criminals have been caught misusing Docusign by offering legitimate-looking customized phishing templates on underground forums, turning the service into a fertile field for phishers aiming to acquire credentials for phishing and business email compromise (BEC) attacks.
"These fraudulent emails, meticulously designed to mimic legitimate document signing requests, lure unsuspecting recipients into clicking malicious links or divulging sensitive information," Abnormal Security claimed.
