Introduction
The malware landscape keeps evolving. New families are born, while others disappear. Some families are short-lived, while others remain active for quite a long time. In order to follow this evolution, we rely both on samples that we detect and our monitoring efforts, which cover botnets and underground forums.
While doing so, we found new Emotet samples, a new loader dubbed “DarkGate”, and a new LokiBot infostealer campaign. We described all three in private reports, from which this post contains an excerpt.
If you want to learn more about our crimeware reporting service, please contact us at [email protected].
DarkGate
In June 2023, a well-known malware developer posted an advertisement on a popular dark web forum, boasting of having developed a loader that he had been working on for more than 20,000 hours since 2017. Some of the main features, which went beyond typical downloader functionality, supposedly included the following:
Hidden VNC
Windows Defender exclusion
Browser history stealer
Reverse proxy
File manager
Discord token stealer
The full list of the touted capabilities is available in our private report.
The sample we obtained is missing some of these features, but that doesn’t mean much, as they are enabled or disabled in the builder anyway. We were, however, able to reconstruct the infection chain, which consists of four stages, all the way to loading the final payload: DarkGate itself.
VBS downloader script: The script is fairly simple. It sets several environment variables to obfuscate subsequent command invocati ..
Support the originator by clicking the read the rest link below.
