Menu
Cyber attacks involving the DarkGate malware-as-a-service (MaaS) operation have transitioned from using AutoIt scripts to an AutoHotkey mechanism for the final stages of the attack, highlighting the threat actors’ ongoing efforts to evade detection.These updates were observed in DarkGate version 6, released in March 2024 by its developer, RastaFarEye, who has been offering the program on a subscription basis to up to 30 clients. The malware has been active since at least 2018.DarkGate is a comprehensive remote access trojan (RAT) with command-and-control (C2) and rootkit capabilities, as well as modules for credential theft, keylogging, screen capturing, and remote desktop access.
“DarkGate campaigns adapt quickly, altering various components to avoid detection by security solutions,” said Ernesto Fernández Provecho, a cybersecurity researcher at Trellix. “This is the first instance we’ve observed DarkGate utilizing AutoHotKey, a relatively rare scripting interpreter.”
It is important to note that McAfee Labs first documented DarkGate’s use of AutoHotKey in late April 2024. The attacks exploited security vulnerabilities like CVE-2023-36025 and CVE-2024-21412 to bypass Microsoft Defender SmartScreen protections via Microsoft Excel or HTML attachments in phishing emails.
NCSC Threat Reports Feed© 2021 CyberEnsō – Nihon Cyber Defence Co., Ltd. All Rights Reserved.
