Following the FBI’s shutdown of Qakbot infrastructure in August 2023, safety analysts at EclecticIQ noticed a surge in the usage of the DarkGate loader.
These teams deal with European and American monetary establishments, using double extortion ransomware assaults to squeeze most revenue
They exploit authentic companies like Google’s DoubleClick promoting community and cloud storage to trick victims into downloading the malware.
Reside assault simulation Webinar demonstrates numerous methods wherein account takeover can occur and practices to guard your web sites and APIs towards ATO assaults.
DarkGate provided on Boards
On June 16, 2023, a cybercriminal often known as RastaFarEye marketed a harmful service on on-line boards: DarkGate Malware-as-a-Service (MaaS).
This service gave hackers instruments to regulate victims’ gadgets and steal their information remotely.
Safety researchers at EclecticIQ imagine cybercriminals behind DarkGate malware primarily goal monetary establishments.
One instance includes a phishing try towards Financial institution Deutsches Kraftfahrzeuggewerbe (BDK), the second-largest unbiased financial institution in Germany’s automotive sector.
The attackers despatched an e mail with a malicious PDF attachment utilizing an automotive-themed lure, prone to exploit BDK’s business focus.
Clicking the “Open” button within the PDF redirected victims to a phishing web site designed to obtain DarkGate.
The phishing website delivered the malware disguised inside a ZIP compressed file, a typical tactic to bypass safety measures.
Search for exercise the place wscript.exe or cscript.exe are used to run .vbs recordsdata, particularly from non permanent folders.
Instruments just like the SIGMA rule “Suspicious Script Execution from Temp Folder” or an Elasticsearch KQL question will help detect this.
Monitor community site visitors for uncommon patterns, equivalent to redirects to unusual domains like “adclick.g.doubleclick.internet” with suspicious parameters or downloads of .CAB recordsdata.