SYMBOLCOMMON_NAMEaka. SYNONYMS
win.darkgate (Back to overview)

DarkGate

aka: Meh, MehCrypter

First documented in 2018, DarkGate is a commodity loader with features that include the ability to download and execute files to memory, a Hidden Virtual Network Computing (HVNC) module, keylogging, information-stealing capabilities, and privilege escalation. DarkGate makes use of legitimate AutoIt files and typically runs multiple AutoIt scripts. New versions of DarkGate have been advertised on a Russian language eCrime forum since May 2023.

References
2023-11-21TrellixErnesto Fernández Provecho, Pham Duy Phuc, Ciana Driscoll, Vinoo Thomas
@online{provecho:20231121:continued:8a0bc28, author = {Ernesto Fernández Provecho and Pham Duy Phuc and Ciana Driscoll and Vinoo Thomas}, title = {{The Continued Evolution of the DarkGate Malware-as-a-Service}}, date = {2023-11-21}, organization = {Trellix}, url = {https://www.trellix.com/about/newsroom/stories/research/the-continued-evolution-of-the-darkgate-malware-as-a-service/}, language = {English}, urldate = {2023-11-27} } The Continued Evolution of the DarkGate Malware-as-a-Service
DarkGate
2023-11-20SekoiaPierre Le Bourhis
@online{bourhis:20231120:darkgate:9bff66a, author = {Pierre Le Bourhis}, title = {{DarkGate Internals}}, date = {2023-11-20}, organization = {Sekoia}, url = {https://blog.sekoia.io/darkgate-internals/}, language = {English}, urldate = {2023-11-22} } DarkGate Internals
DarkGate
2023-11-01NetskopeLeandro Froes
@online{froes:20231101:new:145f312, author = {Leandro Froes}, title = {{New DarkGate Variant Uses a New Loading Approach}}, date = {2023-11-01}, organization = {Netskope}, url = {https://www.netskope.com/jp/blog/new-darkgate-variant-uses-a-new-loading-approach}, language = {English}, urldate = {2023-11-13} } New DarkGate Variant Uses a New Loading Approach
DarkGate
2023-10-16Twitter (@embee_research)Embee_research
@online{embeeresearch:20231016:decoding:f01af37, author = {Embee_research}, title = {{Decoding a Simple Visual Basic (.vbs) Script - DarkGate Loader}}, date = {2023-10-16}, organization = {Twitter (@embee_research)}, url = {https://embee-research.ghost.io/decoding-a-simple-visual-basic-vbs-script-darkgate-loader/}, language = {English}, urldate = {2023-10-17} } Decoding a Simple Visual Basic (.vbs) Script - DarkGate Loader
DarkGate
2023-10-12TrendmicroTrend Micro Research
@online{research:20231012:darkgate:10d712d, author = {Trend Micro Research}, title = {{DarkGate Opens Organizations for Attack via Skype, Teams}}, date = {2023-10-12}, organization = {Trendmicro}, url = {https://www.trendmicro.com/en_us/research/23/j/darkgate-opens-organizations-for-attack-via-skype-teams.html}, language = {English}, urldate = {2023-10-18} } DarkGate Opens Organizations for Attack via Skype, Teams
DarkGate
2023-10-04Twitter (@embee_research)Embee_research
@online{embeeresearch:20231004:developing:c147c2f, author = {Embee_research}, title = {{Developing Yara Signatures for Malware - Practical Examples}}, date = {2023-10-04}, organization = {Twitter (@embee_research)}, url = {https://embee-research.ghost.io/practical-signatures-for-identifying-malware-with-yara/}, language = {English}, urldate = {2023-10-05} } Developing Yara Signatures for Malware - Practical Examples
DarkGate Lu0Bot
2023-09-22PRODAFTPRODAFT
@online{prodaft:20230922:darkgate:23e4b9e, author = {PRODAFT}, title = {{DarkGate IOCs}}, date = {2023-09-22}, organization = {PRODAFT}, url = {https://github.com/prodaft/malware-ioc/blob/master/PTI-66/DarkGate.md}, language = {English}, urldate = {2023-10-11} } DarkGate IOCs
DarkGate
2023-09-19Medium (@DCSO_CyTec)Johann Aydinbas
@online{aydinbas:20230919:shortandmalicious:a0cff0b, author = {Johann Aydinbas}, title = {{#ShortAndMalicious — DarkGate}}, date = {2023-09-19}, organization = {Medium (@DCSO_CyTec)}, url = {https://medium.com/@DCSO_CyTec/shortandmalicious-darkgate-d9102a457232}, language = {English}, urldate = {2023-09-20} } #ShortAndMalicious — DarkGate
DarkGate
2023-09-06TRUESECJakob Nordenlund
@online{nordenlund:20230906:darkgate:cbe3f9b, author = {Jakob Nordenlund}, title = {{DarkGate Loader Malware Delivered via Microsoft Teams}}, date = {2023-09-06}, organization = {TRUESEC}, url = {https://www.truesec.com/hub/blog/darkgate-loader-delivered-via-teams}, language = {English}, urldate = {2023-09-08} } DarkGate Loader Malware Delivered via Microsoft Teams
DarkGate
2023-08-25Github (telekom-security)Fabian Marquardt
@online{marquardt:20230825:darkgate:e063af0, author = {Fabian Marquardt}, title = {{DarkGate configuration extractor}}, date = {2023-08-25}, organization = {Github (telekom-security)}, url = {https://github.com/telekom-security/malware_analysis/blob/main/darkgate/extractor.py}, language = {English}, urldate = {2023-08-25} } DarkGate configuration extractor
DarkGate
2023-08-25TelekomFabian Marquardt
@online{marquardt:20230825:shining:967cdac, author = {Fabian Marquardt}, title = {{Shining some light on the DarkGate loader}}, date = {2023-08-25}, organization = {Telekom}, url = {https://github.security.telekom.com/2023/08/darkgate-loader.html}, language = {English}, urldate = {2023-08-25} } Shining some light on the DarkGate loader
DarkGate
2023-08-060xToxin Labs@0xToxin
@online{0xtoxin:20230806:darkgate:8847660, author = {@0xToxin}, title = {{DarkGate - Threat Breakdown Journey}}, date = {2023-08-06}, organization = {0xToxin Labs}, url = {https://0xtoxin.github.io/threat%20breakdown/DarkGate-Camapign-Analysis/}, language = {English}, urldate = {2023-08-07} } DarkGate - Threat Breakdown Journey
DarkGate
2023-08-03AonAon’s Cyber Labs
@online{labs:20230803:darkgate:3d23432, author = {Aon’s Cyber Labs}, title = {{DarkGate Keylogger Analysis: Masterofnone}}, date = {2023-08-03}, organization = {Aon}, url = {https://www.aon.com/cyber-solutions/aon_cyber_labs/darkgate-keylogger-analysis-masterofnone/}, language = {English}, urldate = {2023-08-07} } DarkGate Keylogger Analysis: Masterofnone
DarkGate
2023-08-03KasperskyKaspersky
@online{kaspersky:20230803:whats:0d716ed, author = {Kaspersky}, title = {{What’s happening in the world of crimeware: Emotet, DarkGate and LokiBot}}, date = {2023-08-03}, organization = {Kaspersky}, url = {https://securelist.com/emotet-darkgate-lokibot-crimeware-report/110286/}, language = {English}, urldate = {2023-08-03} } What’s happening in the world of crimeware: Emotet, DarkGate and LokiBot
LokiBot DarkGate Emotet
2023-06-27ZeroFoxZeroFox Dark Ops intelligence team
@online{team:20230627:underground:cc5de25, author = {ZeroFox Dark Ops intelligence team}, title = {{The Underground Economist: Volume 3, Issue 12}}, date = {2023-06-27}, organization = {ZeroFox}, url = {https://www.zerofox.com/blog/the-underground-economist-volume-3-issue-12/}, language = {English}, urldate = {2023-08-01} } The Underground Economist: Volume 3, Issue 12
DarkGate Meduza Stealer
2020-11-12Avast DecodedJan Rubín
@online{rubn:20201112:password:fe2e566, author = {Jan Rubín}, title = {{Password stealer in Delphi? Meh… (2/2)}}, date = {2020-11-12}, organization = {Avast Decoded}, url = {https://decoded.avast.io/janrubin/meh-2-2/}, language = {English}, urldate = {2023-08-07} } Password stealer in Delphi? Meh… (2/2)
DarkGate
2020-09-17Avast DecodedJan Rubín
@online{rubn:20200917:complex:e1b3abc, author = {Jan Rubín}, title = {{Complex obfuscation? Meh… (1/2)}}, date = {2020-09-17}, organization = {Avast Decoded}, url = {https://decoded.avast.io/janrubin/complex-obfuscation-meh/}, language = {English}, urldate = {2023-08-07} } Complex obfuscation? Meh… (1/2)
DarkGate
2018-11-13FortinetFortinet
@online{fortinet:20181113:enter:3638569, author = {Fortinet}, title = {{Enter The DarkGate - New Cryptocurrency Mining and Ransomware Campaign}}, date = {2018-11-13}, organization = {Fortinet}, url = {https://www.fortinet.com/blog/threat-research/enter-the-darkgate-new-cryptocurrency-mining-and-ransomware-campaign}, language = {English}, urldate = {2023-08-17} } Enter The DarkGate - New Cryptocurrency Mining and Ransomware Campaign
DarkGate Golroted
Yara Rules
[TLP:WHITE] win_darkgate_w0 (20231204 | Detects DarkGate)
rule win_darkgate_w0 {
    meta:
        author = "RussianPanda"
        description = "Detects DarkGate" 
        date = "2023-09-17"
        source="https://www.esentire.com/blog/from-darkgate-to-danabot"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.darkgate"
        malpedia_rule_date = "20230917"
        malpedia_hash = ""
        malpedia_version = "20231204"
        malpedia_sharing = "TLP:WHITE"
    strings:
        $s1 = "hanydesk"
        $s2 = "darkgate.com"
        $s3 = "zLAxuU0kQKf3sWE7ePRO2imyg9GSpVoYC6rhlX48ZHnvjJDBNFtMd1I5acwbqT+="
        $s4 = {80 e3 30 81 e3 ff 00 00 00 c1 eb 04}
        $s5 = {80 e3 3c 81 e3 ff 00 00 00 c1 eb 02} 
        $s6 = {80 e1 03 c1 e1 06}
    condition:
        all of ($s*) 
        and uint16(0) == 0x5A4D
    }
[TLP:WHITE] win_darkgate_w1 (20231204 | DarkGate Payload)
rule win_darkgate_w1 {
    meta:
        author = "enzok"
        description = "DarkGate Payload"
        cape_type = "DarkGate Payload"
        source="https://github.com/kevoreilly/CAPEv2/blob/8689f9f05dec4500d7becd03e9939444f3be3a8f/data/yara/CAPE/DarkGate.yar"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.darkgate"
        malpedia_rule_date = "20230917"
        malpedia_hash = ""
        malpedia_version = "20231204"
        malpedia_sharing = "TLP:WHITE"
    strings:
        $part1 = {8B 55 ?? 8A 4D ?? 80 E1 3F C1 E1 02 8A 5D ?? 80 E3 30 81 E3 FF [3] C1 EB 04 02 CB 88 4C 10 FF FF 45 ?? 80 7D ?? 40}
        $part2 = {8B 55 ?? 8A 4D ?? 80 E1 0F C1 E1 04 8A 5D ?? 80 E3 3C 81 E3 FF [3] C1 EB 02 02 CB 88 4C 10 FF FF 45 ?? 80 7D ?? 40}
        $part3 = {8B 55 ?? 8A 4D ?? 80 E1 03 C1 E1 06 8A 5D ?? 80 E3 3F 02 CB 88 4C 10 FF FF 45}
        $alphabet = "zLAxuU0kQKf3sWE7ePRO2imyg9GSpVoYC6rhlX48ZHnvjJDBNFtMd1I5acwbqT+="
    condition:
        ($alphabet) and any of ($part*)
}
Download all Yara Rules