Cyber Threat Intelligence Briefing - March 25, 2024

This week, we share a new tactic from DarkGate to look out for and a vulnerability roundup.

New DarkGate Campaign TTPs

DarkGate malware is classified as a loader, written in AutoIT as recently as January.

The developers of DarkGate operate as a malware-as-a-service (MaaS), leasing their malware's capabilities to any operator that can afford it.

DarkGate is distributed in phishing campaigns. Previous campaigns used malicious PDFs to entice victims into downloading a malicious payload, typically disguised as a fake software download for common software such as iTunes, Notion, or NVIDIA.

These fake software packages are downloaded as an .MSI file, which bundles together multiple files used to finish downloading and installing the final payload. Once installed, DarkGate can perform a variety of functions, including downloading additional malicious payloads (i.e., ransomware), infostealing, keylogging, persistence, remote access, and more.

DarkGate Gets a Makeover

On March 14, PacketWatch responded to a phishing incident that resulted in the discovery of new TTPs for DarkGate. The phishing email contained an Excel attachment.

This Excel document immediately prompts the user to see that the spreadsheet contains files from the cloud. The user must click the "Open" button to download and run these files.

Once the user clicks the button, Excel downloads a VBS (Visual Basic) file from an attacker-controlled domain over SMB (port 445). This VBS script is then executed, downloading three additional files: the AutohotKey executable, an Autohotkey script, and a text file.

Once executed, the Autohotkey script decodes obfuscated text within the text file and uses the resulting data to create a DLL file, which is then executed. This DLL file is the main DarkGate loader.

This new sequence of steps removes the need to trick the user a second time into downloading and executing the fake software installers, making the infection chain more efficient. 

This new DarkGate campaign with updated TTPs was confirmed to be widespread, as security researchers from Unit42 observed identical behavior on March 19.

Observed IOCs from the new campaign variant can be found at the end of the article.

How To Protect Your Organization

While DarkGate is an advanced piece of malware that is constantly evolving, there are several controls and opportunities to detect and prevent infection:

• User awareness training: As with all phishing-based malware, educating users on the telltale signs of phishing emails is a great deterrent. The malware will never execute if the employee never downloads the malicious attachment and runs the malicious scripts embedded within the attachment.

• Network hygiene: The first step DarkGate takes once it is triggered is to download the initial stage via SMB/445. This port and service should be blocked at the external firewall. Blocking this connection will immediately halt the execution of DarkGate if it cannot download its own install scripts.

• Application allow-listing: This new DarkGate campaign leverages Autohotkey scripting for execution. The reliance on the relatively obscure Autohotkey scripting language requires the threat actor to download the legitimate Autohotkey executable in order to ensure that the script will execute properly. If your organization has no legitimate use case for Autohotkey, do not allow that executable to run in the environment.

• Endpoint protection: Having robust and up-to-date endpoint detection tools on every endpoint will help prevent the execution of DarkGate malware if all other protections fail. Ensure you are leveraging behavior-based detection tools rather than signature-based tools.

Additional Resources

• https://twitter.com/Unit42_Intel/status/1770461681145061378
  
• https://www.trendmicro.com/en_us/research/24/c/cve-2024-21412--darkgate-operators-exploit-microsoft-windows-sma.html
  
• https://www.splunk.com/en_us/blog/security/enter-the-gates-an-analysis-of-the-darkgate-autoit-loader.html

Vulnerability Roundup

Fortra FileCatalyst RCE

Fortra recently released details for a critical remote code execution vulnerability for its FileCatalyst file transfer software.

Tracked as CVE-2024-25153, the vulnerability allows a threat actor to upload a file outside the intended default 'uploadtemp' directory. If the threat actor places a malicious file in the web portal's DocumentRoot directory, it can lead to code execution, including web shells.

Proof-of-concept exploit code exists in the wild. Administrators are urged to apply the patch as soon as possible. Affected versions are Fortra FileCatalyst Workflow 5.x before 5.1.6 Build 114.

• https://www.fortra.com/security/advisory/fi-2024-002
  
• https://www.fortra.com/product-lines/filecatalyst
  
• https://github.com/nettitude/CVE-2024-25153
  
• https://thehackernews.com/2024/03/fortra-patches-critical-rce.html
  
• https://platform.socradar.com/app/threatfeed/cve/CVE-2024-25153/details

Another Ivanti Critical RCE

Security researchers at NATO recently reported a new critical vulnerability in Ivanti Standalone Sentry, which is "deployed as an organization's Kerberos Key Distribution Center Proxy server or as a gatekeeper for ActiveSync-enabled Exchange and Sharepoint servers."

The vulnerability, tracked as CVE-2023-41724, affects all versions of the product and allows unauthenticated users on the same physical or logical network to execute arbitrary commands. The security patch has already been applied to cloud instances, but on-premises installations require manual patching.

While exploitation has not yet been observed in the wild, administrators are urged to patch it as soon as possible.

• https://www.bleepingcomputer.com/news/security/ivanti-fixes-critical-standalone-sentry-bug-reported-by-nato/
  
• https://thehackernews.com/2024/03/ivanti-releases-urgent-fix-for-critical.html
  
• https://forums.ivanti.com/s/article/CVE-2023-41724-Remote-Code-Execution-for-Ivanti-Standalone-Sentry?language=en_US
  
• https://platform.socradar.com/app/threatfeed/cve/CVE-2023-41724/details

Appendix A - Recent DarkGate IOCs

nextroundst[.]com
204.93.201[.]142
167.99.115[.]33

badbutperfect[.]com
103.124.105[.]78
escuelademarina[.]com/cloud
165.22.16[.]55

Stay updated with PacketWatch's cybersecurity content by subscribing to our monthly newsletter, delivered to your inbox on the last Tuesday of the month.

PacketWatch publishes this report and other cybersecurity threat intel to the security community for free via our blog.

If you want personalized threat intel, contact us today to learn about our enterprise threat intelligence services.

Note: We've also enriched our original threat intelligence report by including resources from our partner in cyber threat intelligence, SOCRadar. You may need a registered SOCRadar account to view their threat intelligence resources.

DISCLAIMER

Kindly be advised that the information contained in this article is presented with no final evaluation and should be considered raw data. The sole purpose of this information is to provide situational awareness based on the currently available knowledge. We recommend exercising caution and conducting further research as necessary before making any decisions based on this information.