SYMBOLCOMMON_NAMEaka. SYNONYMS
win.darkgate (Back to overview)

DarkGate

aka: Meh, MehCrypter

First documented in 2018, DarkGate is a commodity loader with features that include the ability to download and execute files to memory, a Hidden Virtual Network Computing (HVNC) module, keylogging, information-stealing capabilities, and privilege escalation. DarkGate makes use of legitimate AutoIt files and typically runs multiple AutoIt scripts. New versions of DarkGate have been advertised on a Russian language eCrime forum since May 2023.

References
2024-03-13Trend MicroAliakbar Zahravi, Peter Girnus, Simon Zuckerbraun
CVE-2024-21412: DarkGate Operators Exploit Microsoft Windows SmartScreen Bypass in Zero-Day Campaign
DarkGate
2024-03-04LogpointAnish Bogati
Inside DarkGate: Exploring the infection chain and capabilities
DarkGate
2024-02-29SANS ISCJohn Moutos
Dissecting DarkGate: Modular Malware Delivery and Persistence as a Service
DarkGate
2024-02-28Security IntelligenceGolo Mühr, Ole Villadsen
X-Force data reveals top spam trends, campaigns and senior superlatives in 2023
404 Keylogger Agent Tesla Black Basta DarkGate Formbook IcedID Loki Password Stealer (PWS) Pikabot QakBot Remcos
2024-01-30AT&T CybersecurityPeter Boyle
DarkGate malware delivered via Microsoft Teams - detection and response
DarkGate
2024-01-18KrollSean Straw
Open the DARKGATE – Brute Forcing DARKGATE Encodings
DarkGate
2024-01-17splunkSplunk Threat Research Team
Enter The Gates: An Analysis of the DarkGate AutoIt Loader
DarkGate
2024-01-16S2W LAB Inc.Minyeop Choi
Detailed Analysis of DarkGate; Investigating new top-trend backdoor malware
DarkGate
2024-01-05VMRayVMRay Labs Team
DarkGate from AutoIT to Shellcode Execution
DarkGate
2023-12-21ProofpointAxel F, Dusty Miller, Selena Larson, Tommy Madjar
BattleRoyal, DarkGate Cluster Spreads via Email and Fake Browser Updates
DarkGate
2023-12-19Twitter (@embee_research)Embee_research
Free Ghidra Tutorials for Beginners
Cobalt Strike DarkGate
2023-12-14MandiantAdrian McCabe, Geoff Ackerman, Rufus Brown, Ryan Tomcik
Opening a Can of Whoop Ads: Detecting and Disrupting a Malvertising Campaign Distributing Backdoors
DanaBot DarkGate
2023-11-21TrellixCiana Driscoll, Ernesto Fernández Provecho, Pham Duy Phuc, Vinoo Thomas
The Continued Evolution of the DarkGate Malware-as-a-Service
DarkGate
2023-11-20SekoiaPierre Le Bourhis
DarkGate Internals
DarkGate
2023-11-20CofenseDylan Duncan
Are DarkGate and PikaBot the new QakBot?
DarkGate Pikabot QakBot
2023-11-02eSentireeSentire Threat Response Unit (TRU)
From DarkGate to DanaBot
DanaBot DarkGate
2023-11-01NetskopeLeandro Froes
New DarkGate Variant Uses a New Loading Approach
DarkGate
2023-10-16Twitter (@embee_research)Embee_research
Decoding a Simple Visual Basic (.vbs) Script - DarkGate Loader
DarkGate
2023-10-12TrendmicroTrend Micro Research
DarkGate Opens Organizations for Attack via Skype, Teams
DarkGate
2023-10-04Twitter (@embee_research)Embee_research
Developing Yara Signatures for Malware - Practical Examples
DarkGate Lu0Bot
2023-09-22PRODAFTPRODAFT
DarkGate IOCs
DarkGate
2023-09-19Medium (@DCSO_CyTec)Johann Aydinbas
#ShortAndMalicious — DarkGate
DarkGate
2023-09-06TRUESECJakob Nordenlund
DarkGate Loader Malware Delivered via Microsoft Teams
DarkGate
2023-08-25TelekomFabian Marquardt
Shining some light on the DarkGate loader
DarkGate
2023-08-25Github (telekom-security)Fabian Marquardt
DarkGate configuration extractor
DarkGate
2023-08-060xToxin Labs@0xToxin
DarkGate - Threat Breakdown Journey
DarkGate
2023-08-03KasperskyKaspersky
What’s happening in the world of crimeware: Emotet, DarkGate and LokiBot
LokiBot DarkGate Emotet
2023-08-03AonAon’s Cyber Labs
DarkGate Keylogger Analysis: Masterofnone
DarkGate
2023-06-27ZeroFoxZeroFox Dark Ops intelligence team
The Underground Economist: Volume 3, Issue 12
DarkGate Meduza Stealer
2020-11-12Avast DecodedJan Rubín
Password stealer in Delphi? Meh… (2/2)
DarkGate
2020-09-17Avast DecodedJan Rubín
Complex obfuscation? Meh… (1/2)
DarkGate
2018-11-13FortinetFortinet
Enter The DarkGate - New Cryptocurrency Mining and Ransomware Campaign
DarkGate Golroted
Yara Rules
[TLP:WHITE] win_darkgate_w0 (20231204 | Detects DarkGate)
rule win_darkgate_w0 {
    meta:
        author = "RussianPanda"
        description = "Detects DarkGate" 
        date = "2023-09-17"
        source="https://www.esentire.com/blog/from-darkgate-to-danabot"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.darkgate"
        malpedia_rule_date = "20230917"
        malpedia_hash = ""
        malpedia_version = "20231204"
        malpedia_sharing = "TLP:WHITE"
    strings:
        $s1 = "hanydesk"
        $s2 = "darkgate.com"
        $s3 = "zLAxuU0kQKf3sWE7ePRO2imyg9GSpVoYC6rhlX48ZHnvjJDBNFtMd1I5acwbqT+="
        $s4 = {80 e3 30 81 e3 ff 00 00 00 c1 eb 04}
        $s5 = {80 e3 3c 81 e3 ff 00 00 00 c1 eb 02} 
        $s6 = {80 e1 03 c1 e1 06}
    condition:
        all of ($s*) 
        and uint16(0) == 0x5A4D
    }
[TLP:WHITE] win_darkgate_w1 (20231204 | DarkGate Payload)
rule win_darkgate_w1 {
    meta:
        author = "enzok"
        description = "DarkGate Payload"
        cape_type = "DarkGate Payload"
        source="https://github.com/kevoreilly/CAPEv2/blob/8689f9f05dec4500d7becd03e9939444f3be3a8f/data/yara/CAPE/DarkGate.yar"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.darkgate"
        malpedia_rule_date = "20230917"
        malpedia_hash = ""
        malpedia_version = "20231204"
        malpedia_sharing = "TLP:WHITE"
    strings:
        $part1 = {8B 55 ?? 8A 4D ?? 80 E1 3F C1 E1 02 8A 5D ?? 80 E3 30 81 E3 FF [3] C1 EB 04 02 CB 88 4C 10 FF FF 45 ?? 80 7D ?? 40}
        $part2 = {8B 55 ?? 8A 4D ?? 80 E1 0F C1 E1 04 8A 5D ?? 80 E3 3C 81 E3 FF [3] C1 EB 02 02 CB 88 4C 10 FF FF 45 ?? 80 7D ?? 40}
        $part3 = {8B 55 ?? 8A 4D ?? 80 E1 03 C1 E1 06 8A 5D ?? 80 E3 3F 02 CB 88 4C 10 FF FF 45}
        $alphabet = "zLAxuU0kQKf3sWE7ePRO2imyg9GSpVoYC6rhlX48ZHnvjJDBNFtMd1I5acwbqT+="
    condition:
        ($alphabet) and any of ($part*)
}
Download all Yara Rules