In June 2023, a threat actor going by the handle RastaFarEye posted an advertisement in the XSS underground forum about a project known as DarkGate. As detailed<\/a> by the ZeroFox Dark Ops intelligence team, the new version includes certain key features to evade detection while offering the expected credential stealing capabilities. The cost ($100K\/year) and limited availability (10 customers) make DarkGate somewhat of an elusive toolkit.<\/p>\n Photo credit: ZeroFox Dark Ops intelligence team<\/a><\/p>\n Two blog posts came out in early August, identifying new DarkGate attacks:<\/p>\n While investigating malvertising campaigns, we observed the following Google ad on on July 13, 2023:<\/p>\n Advanced IP Scanner is a popular tool used by IT administrators. Victims who click on the ad are presented with a decoy site:<\/p>\n The downloaded file (Advanced_IP_Scanner_2.5.4594.1.msi<\/em>) is an installer that contains the legitimate Advanced IP Scanner binary but also some extra files that are unpacked in the %temp% folder upon execution:<\/p>\n We recognize the familiar use of AutoIT which was already present in the very early versions of DarkGate.<\/p>\n Note: The same threat actor was also serving malicious ads via Bing as documented<\/a> by Cyberuptive on August 8, 2023.<\/p>\n SEO poisoning is an old technique used by various threat actors and scammers who attempt to game search engines’ ranking system. Although it takes a little more time to roll out, it is an effective way to trick users into visiting malicious sites.<\/p>\n The following search result appeared on Google:<\/p>\n The domain advancedscanner[.]link was created on 2023-07-28 and is used to redirect to the decoy page hosted at ipadvancedscanner[.]com. The downloaded file, IPAVSCAN_win_vers_1.1.3.msi, also has the same AutoIt encrypted payload:<\/p>\n We noticed that several of the newly registered domains associated with these campaigns had implemented advanced fingerprinting checks. We recently documented<\/a> this trend which could soon become the norm due to its ease of use.<\/p>\n Here’s another lure, this time for Angry IP Scanner, with a domain (ipangry[.]com registered 2023-07-29):<\/p>\n The payload, angry_win_0.47_installer.msi and its AutoIt script:<\/p>\n By using a combination of evasion techniques, the threat actors behind these campaigns are able to distribute DarkGate with a minimal system footprint. They are also diversifying their delivery techniques by leveraging malspam, malvertising and SEO poisoning.<\/p>\n Malwarebytes’ anti-malware engine detects this malware as Backdoor.DarkGate and our web protection blocks its known command and control servers.<\/p>\n Malwarebytes for Business<\/a> (EDR) customers may also see the following alerts:<\/p>\n Malvertising campaign<\/strong><\/p>\n SEO poisoning campaign<\/strong><\/p>\n DarkGate samples<\/strong><\/p>\n <\/strong>DarkGate C2s<\/strong><\/p>\n https:\/\/blog.malwarebytes.com\/feed\/<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"![\"Ad](\"https:\/\/www.malwarebytes.com\/blog\/threat-intelligence\/2023\/08\/easset_upload_file49548_275963_e.png\")
<\/a><\/p>\n\n
Malvertising<\/h2>\n
![\"Google](\"https:\/\/www.malwarebytes.com\/blog\/threat-intelligence\/2023\/08\/easset_upload_file6536_275963_e.png\")
<\/p>\n![\"Decoy](\"https:\/\/www.malwarebytes.com\/blog\/threat-intelligence\/2023\/08\/easset_upload_file32728_275963_e.png\")
<\/p>\n![\"Payload\"](\"https:\/\/www.malwarebytes.com\/blog\/threat-intelligence\/2023\/08\/easset_upload_file16684_275963_e.png\")
<\/p>\nSEO poisoning<\/h2>\n
![\"\"](\"https:\/\/www.malwarebytes.com\/blog\/threat-intelligence\/2023\/08\/easset_upload_file52601_275963_e.png\")
<\/p>\n![\"\"](\"https:\/\/www.malwarebytes.com\/blog\/threat-intelligence\/2023\/08\/easset_upload_file13495_275963_e.png\")
<\/p>\nAnti-VM and other checks<\/h2>\n
![\"\"](\"https:\/\/www.malwarebytes.com\/blog\/threat-intelligence\/2023\/08\/easset_upload_file10541_275963_e.png\")
<\/p>\n![\"\"](\"https:\/\/www.malwarebytes.com\/blog\/threat-intelligence\/2023\/08\/easset_upload_file72275_275963_e.png\")
<\/p>\n![\"\"](\"https:\/\/www.malwarebytes.com\/blog\/threat-intelligence\/2023\/08\/easset_upload_file27029_275963_e.png\")
<\/a><\/p>\nIndicators of Compromise<\/h2>\n
top[.]advscan[.]com
advanced-ips-scanne[.]com
a4scan[.]com
advanced-ip-scanne[.]com<\/pre>\nadvancedscanner[.]link
ipadvancedscanner[.]com
185.224.137[.]54
185.11.61[.]65<\/pre>\ne5ca3a8732a4645de632d0a6edfaf064bdd34a4824102fbc2b328a974350db8f
206042ec2b6bc377296c8b7901ce1a00c393df89e7c4cbbb1b8da1a86a153b67
9a7db0204847d26515ed249f9ed577220326f63a724a2e0fb6bb1d8cd33508a3<\/pre>\n80.66.88[.]145
107.181.161[.]200<\/pre>\nAdditional resources<\/h2>\n
\n