DarkGate

DarkGate uses two distinct User Account Control (UAC) bypass techniques to escalate privileges.(Citation: Ensilo Darkgate 2018)

DarkGate relies on parent PID spoofing as part of its "rootkit-like" functionality to evade detection via Task Manager or Process Explorer.(Citation: Trellix Darkgate 2023)

DarkGate elevates accounts created through the malware to the local administration group during execution.(Citation: Ensilo Darkgate 2018)

DarkGate command and control includes hard-coded domains in the malware chosen to masquerade as legitimate services such as Akamai CDN or Amazon Web Services.(Citation: Trellix Darkgate 2023)

DarkGate can cloak command and control traffic in DNS records from legitimate services to avoid reputation-based detection techniques. (Citation: Ensilo Darkgate 2018)

DarkGate installation includes AutoIt script execution creating a shortcut to itself as an LNK object, such as bill.lnk, in the victim startup folder.(Citation: Ensilo Darkgate 2018) DarkGate installation finishes with the creation of a registry Run key.(Citation: Ensilo Darkgate 2018)

DarkGate uses a malicious Windows Batch script to run the Windows code utility to retrieve follow-on script payloads.(Citation: Trellix Darkgate 2023)

DarkGate creates a local user account, SafeMode, via net user commands.(Citation: Ensilo Darkgate 2018)

DarkGate initial installation involves dropping several files to a hidden directory named after the victim machine name.(Citation: Ensilo Darkgate 2018)

DarkGate includes one infection vector that leverages a malicious "KeyScramblerE.DLL" library that will load during the execution of the legitimate KeyScrambler application.(Citation: Trellix Darkgate 2023)

DarkGate will terminate processes associated with several security software products if identified during execution.(Citation: Ensilo Darkgate 2018)

DarkGate will spawn a thread on execution to capture all keyboard events and write them to a predefined log file.(Citation: Ensilo Darkgate 2018)

DarkGate executes a Windows Batch script during installation that creases a randomly-named directory in the C:\\ root directory that copies and renames the legitimate Windows curl command to this new location.(Citation: Trellix Darkgate 2023)

DarkGate drops an encrypted PE file, pe.bin, and decrypts it during installation.(Citation: Ensilo Darkgate 2018) DarkGate also uses custom base64 encoding schemas in later variations to obfuscate payloads.(Citation: Trellix Darkgate 2023)

DarkGate can be distributed through emails with malicious attachments from a spoofed email address.(Citation: Ensilo Darkgate 2018)

DarkGate leverages process hollowing techniques to evade detection, such as decrypting the content of an encrypted PE file and injecting it into the process vbc.exe.(Citation: Ensilo Darkgate 2018)

DarkGate can deploy follow-on cryptocurrency mining payloads.(Citation: Ensilo Darkgate 2018)

DarkGate looks for various security products by process name using hard-coded values in the malware. DarkGate will not execute its keylogging thread if a process name associated with Trend Micro anti-virus is identified, or if runtime checks identify the presence of Kaspersky anti-virus. DarkGate will initiate a new thread if certain security products are identified on the victim, and recreate any malicious files associated with it if it determines they were removed by security software in a new system location.(Citation: Ensilo Darkgate 2018)

DarkGate tries to elevate privileges to SYSTEM using PsExec to locally execute as a service, such as cmd /c c:\temp\PsExec.exe -accepteula -j -d -s [Target Binary].(Citation: Trellix Darkgate 2023)

DarkGate initial infection payloads can masquerade as pirated media content requiring user interaction for code execution.(Citation: Ensilo Darkgate 2018) DarkGate is distributed through phishing links to VBS or MSI objects requiring user interaction for execution.(Citation: Trellix Darkgate 2023)

DarkGate queries system resources on an infected machine to identify if it is executing in a sandbox or virtualized environment.(Citation: Ensilo Darkgate 2018)