Photo of a sunrise over Mount Hood.
Sunrise over the Pacific Northwest Cascades volcanoes (photo by the author)

It’s Always DarkGate Before the Dawn

Brighten Your Day by Detecting this Emerging Malware Threat

Micah Babinski
8 min readOct 16, 2023

--

Introduction

In this article, we’ll look at DarkGate, a commodity malware loader that has popped up frequently on the ‘threat radar’ lately. Some recent reporting on DarkGate suggests that it is poised to fill — at least in part — the void left following the successful takedown of the QakBot botnet infrastructure by the US Department of Justice and its partners.

According to this great writeup by Fabian Marquardt, the DarkGate tool was advertised on a criminal underground forum by user RastaFarEye in June with a subscription service-based pricing model of:

  • 1 Day: $1000
  • 1 Month: $15,000
  • 1 Year: $100,000

Yeesh! Inflation, amirite? Still, the tool offers a slick-looking GUI payload builder, extensive command-and-control capabilities, counter-forensic “kill switches” designed to prevent sandboxing, and a console panel from which the operator can administer infected systems.

Screenshot showing options that DarkGate offers for remotely controlling infected systems.
DarkGate Console showing some of it’s fancy C2 options

Ok, so that’s all very cool and creepy. In the post on the criminal forum, RastaFarEye flexes that they spent more than 20,000 hours developing DarkGate. This is most likely inflated, as that represents more than 4.5 years of working 12 hour days, with zero days off. But hey, let’s take their word for it!

Objectives

This is a relatively new malware loader on the market (the dev’s post was dated June 16, 2023), there are few log-based detection signatures available to the community at last check, and it has coincided with the disruption of another malware family’s infrastructure. So let’s observe some recent DarkGate samples in action in our lab, analyze the logs they generate, and create a few detection concepts that could be adapted and leveraged by organizations wishing to extend their coverage to protect against DarkGate.

In other words:

Meme showing two crows saying “Oh you spent 20,000 hours on that malware loader? Shame if someone…figured out how to detect it.”

Preparation

Lab Setup

As with most of my analysis activities, I used a detectionlab.network setup hosted using VirtualBox. I adore DetectionLab and am so appreciative of the hard work of it’s creator, Chris Long, as well as the other folks who have contributed over the years. However, I am in the market for an alternative, since DetectionLab is no longer officially supported. 😭 I spent a little time investigating Splunk Attack Range, but didn’t find it all that intuitive to configure and use. I probably just need to go back and try again. If anyone knows any other good options, please drop a comment!

Preliminary Review of Available Samples

But I digress. I search for DarkGate in MalwareBazaar and find many, many recent examples:

By browsing the MalwareBazaar repository for DarkGate samples, plus the DarkGate malware IOC repositories from pr0xylife, ExecuteMalware, and Brad Duncan (malware-traffic-analysis.net), I can see that these samples primarily started with a malicious URL which resulted in a zipfile download.

The zipfile, in turn, contains either a malicious .vbs file or .msi installer file, which then downloads and executes a follow-on stage of AutoIt3.exe. AutoIt3.exe is the latest edition of AutoIt, an early macro-style programming language for Windows that first appeared in 1999 (maybe around the time that RastaFarEye started in on their 20,000 hours of coding DarkGate!). All of this is illustrated beautifully in the “Shining some light on the DarkGate loader” article I linked earlier from the Deutsche Telekom CERT.

Potential Chokepoint Identification

Significantly, in every IOC report I found, AutoIt3.exe was in use to download secondary or tertiary stages of the malware infection. As a detection engineer, I am on the lookout for choke points, a concept described by Gary Katz in “Practical Threat Detection Engineering,” a wonderful book he recently published alongside co-authors Megan Roddie and Jason Deyalsingh. Katz encourages us to view threats as a set of detectable indicators, each with a defined set of variability. For DarkGate, some of these indicators might include:

  • The phishing email or teams message via which the malware is initially delivered.
  • The file hash of the PDF file which contained the malicious URL.
  • The malicious URL which downloaded the zipfile.
  • The contents (.vbs or .msi) of the downloaded zipfile.
  • The AutoIt3.exe execution of malicious shellcode.
  • The malicious shellcode file which injects into a process and connects the victim to the DarkGate loader.

Katz writes:

The indicator with the least amount of variability is the choke point for that procedure. It is the thing that the adversary can’t get around doing and yet has a well-defined way for us to identify the artifact or action as being associated with the malicious activity. Our goal therefore is to write a detection around that indicator’s artifact, or artifacts, to accurately detect the malicious activity.

…and illustrates the concept with this chart:

Bar graph showing different indicators where the size of the bar shows the level of variability. The indicator with the least variability is circled and labeled “detection choke point.”
Threat indicators measured by potential variability, with a good choke point candidate identified (Credit: Gary Katz)

In this case, I am looking at you, AutoIt3.exe! I think you may be our choke point!

GIF of Darth Vader from Star Wars doing a “force choke” on imperial officers.
DarkGate customers realizing they just spent $15,000 on something trivial to detect.

Now let’s try some DarkGate samples in the lab and see if we can hone in on this AutoIt3.exe activity (or anything else fruitful to formulate a detection around).

First Execution — VBS

First I try a recent zipfile, which contains a text file and .vbs file, both called Report-81.

Screenshot from my lab showing a malicious DarkGate VBS file in file explorer.

I immediately notice this log event, which just…doesn’t look right:

Screenshot of logs in Splunk showing suspicious command line parameters.

There’s a lot going on in this one command, so I’ll attempt to break it down:

  1. Wscript.exe (default opener of .vbs files) runs cmd.
  2. CMD changes to a temp directory.
  3. CMD runs the curl.exe command to download AutoIt3.exe from a site running HTTP on port 2351.
  4. Curl.exe is once again used to download a .au3 file from the same site (different path).
  5. The downloaded AutoIt3.exe is used to run the .au3 file.

For the samples I tested, most of the malware distribution URLs were offline, yielding a result like this when running the curl command:

Command-line window showing a curl command to download Autoit3.exe from a malicious website. The curl command fails because the connection failed.
Failing to curl download AutoIt3.exe from the no-no site. Whomp whomp.

However, I did get one successful AutoIt3.exe execution from my testing of .vbs files. The log event is shown below with relevant fields highlighted:

Event in Splunk showing Autoit3.exe executed with a parent process of cmd.exe.

Based on these observed behaviors and with a focus on AutoIt3 (as the potential “choke point” indicator with the least amount of variability), I can craft my first two detection concepts, based on using curl.exe to create AutoIt3.exe, and executing AutoIt3.exe from a non-standard directory with a parent command line containing curl.

I also took a little time to compare the DarkGate infection logs to the log artifacts left behind after installing AutoIt3 using the standard method. As shown below, the legitimate AutoIt3 installation process will place AutoIt3 in C:\Program Files (x86)\AutoIt3\:

Splunk log showing a Sysmon file creation event where Autoit3.exe file is created using the normal installation process.
Sysmon file creation event created by standard AutoIt3 installation

Second Test — MSI

With the first major category of DarkGate delivery out of the way, let’s move on to .msi installers. The .msi (Microsoft Installer File) delivery variant begins the same way: packaged inside a zipfile. When double-clicked, an MSI progress bar window appears with a title of KeyScrambler — UNREGISTERED:

Screenshot of MSI installation progress dialog labeled KeyScrambler.

Looking at the logs, I can see that the msiexec.exe process launches KeyScramblerLogon.exe, which in turn launches…wait for it…AutoIt3.exe!

Screenshot of Splunk logs showing KeyScramblerLogon process spawning Autoit3.exe.

What is KeyScramblerLogon.exe, you might ask? According to a cursory internet search, it is a utility released in 2006 and designed to prevent keylogging. In this case, however, it is the process used to create the AutoIt3.exe file in the temp directory, as you can see in my repeated testing below:

Screenshot of Splunk logs showing KeyScramblerLogon processes creating Autoit3.exe executable files.

Going through additional .msi installer samples for DarkGate which date back to July (just days after RastaFarEye advertised the tool on the criminal forum), a pattern emerges: I see only a finite number of parent processes starting AutoIt3.exe, and only a limited number of utilities used to download the binary.

AutoIt3.exe parent processes:

  1. cmd.exe
  2. KeyScramblerLogon.exe
  3. msiexec.exe

AutoIt3.exe file-creating processes:

  1. curl.exe
  2. KeyScramblerLogon.exe
  3. AutoIt3.exe itself
  4. wmprph.exe
  5. ExtExport.exe

Conclusion

Having reviewed DarkGate IOC repositories and tested the infection chain in our lab, we are ready to share our detection concepts. The beauty of the situation is that, for all it’s fancy “bells and whistles,” DarkGate malware is rather easy to detect, with a relatively small range of variability on key indicators. It’s remarkable that over the course of the alleged 20,000 hours they spent working on it, the DarkGate dev failed to consider that relying on a weird and conspicuous piece of software like AutoIt3.exe would present a rather obvious avenue for log-based detections.

As usual, I’ll share these rule concepts in Sigma format, which is a very useful generic log-based detection format which you can use to convert into SIEM-specific queries in any of a large number of query languages. If you are curious about Sigma, check out this recent video where the legendary security researcher/content creator John Hammond interviews Nasreddine Bencherchali about the project:

In conclusion, based on my toying around with DarkGate samples, you can detect it using AutoIt3.exe process creations with unusual parents:

title: DarkGate AutoIt3.exe Execution Parameters
id: f8e9aa1c-14f2-4dbd-aa59-b98968ed650d
status: experimental
description: |
Detects execution of the legitimate AutoIt3 utility from a suspect parent process. AutoIt3.exe is used within
the DarkGate infection chain to execute shellcode that performs process injection and connects to the DarkGate
command-and-control server.
references:
- Internal Research
- https://github.security.telekom.com/2023/08/darkgate-loader.html
- https://www.kroll.com/en/insights/publications/cyber/microsoft-teams-used-as-initial-access-for-darkgate-malware
- https://github.com/pr0xylife/DarkGate/tree/main
author: Micah Babinski
date: 2023/10/12
tags:
- attack.execution
- attack.t1059
logsource:
category: process_creation
product: windows
detection:
selection_proc:
- Image|endswith: '\Autoit3.exe'
- OriginalFileName: 'AutoIt3.exe'
selection_parent:
ParentImage|endswith:
- '\cmd.exe'
- '\KeyScramblerLogon.exe'
- '\msiexec.exe'
filter_normal_autoit3:
Image: 'C:\Program Files (x86)\AutoIt3\AutoIt3.exe'
condition: all of selection_* and not filter_normal_autoit3
falsepositives:
- Unlikely
level: high

…or AutoIt3.exe file creations from suspicious processes:

title: Autoit3.exe Executable File Creation Matching DarkGate Behavior
id: 1a433e1d-03d2-47a6-8063-ece992cf4e73
status: experimental
description: |
Detects the usage of curl.exe, KeyScramblerLogon, or other non-standard/suspicious processes used to create Autoit3.exe.
This activity has been associated with DarkGate malware, which uses Autoit3.exe to execute shellcode that performs
process injection and connects to the DarkGate command-and-control server. Curl, KeyScramblerLogon, and these other
processes consitute non-standard and suspicious ways to retrieve the Autoit3 executable.
references:
- Internal Research
- https://github.security.telekom.com/2023/08/darkgate-loader.html
- https://www.kroll.com/en/insights/publications/cyber/microsoft-teams-used-as-initial-access-for-darkgate-malware
- https://github.com/pr0xylife/DarkGate/tree/main
author: Micah Babinski
date: 2023/10/11
tags:
- attack.command_and_control
- attack.execution
- attack.t1105
- attack.t1059
logsource:
category: file_event
product: windows
detection:
selection:
Image|endswith:
- '\curl.exe'
- '\KeyScramblerLogon.exe'
- '\Autoit3.exe'
- '\wmprph.exe'
- '\ExtExport.exe'
TargetFilename|endswith: '\Autoit3.exe'
condition: selection
falsepositives:
- Unknown
level: medium

And with that, I’m off to bed! It was fun examining DarkGate delivery mechanisms, and exploring the concept of “choke points” in our detection use cases. All the best, and as always, happy analyzing!

🧐😴️🛌

--

--

Micah Babinski
Micah Babinski

Written by Micah Babinski

Cybersecurity pro, featuring bagpiping and GIS chops. Lives with wife Quinn and son Malcolm. Loves mountains, Indian food, and mountains of Indian food.

No responses yet