Cybereason issues Threat Alerts to inform customers of emerging impacting threats, including recently observed DarkGate Loader. Cybereason Threat Alerts summarize these threats and provide practical recommendations for protecting against them.
Cybereason Security Services is investigating incidents that involve DarkGate Loader, a modular loader delivered via phishing email and responsible for deploying post-exploitation payloads.
Threat Actors deploy DarkGate Loader as an AutoIt script, which contains an encrypted payload. The AutoIt script decrypts and injects the payload into different processes. The execution of DarkGate Loader ultimately leads to execution of post-exploitation tools such as Cobalt Strike and Meterpreter. This Threat Alert provides an overview of an attack involving DarkGate Loader.
The purpose of DarkGate Loader is to deploy post-exploitation tools while evading detection.
DarkGate Loader Attack Flow Diagram
The Cybereason Defense Platform can detect and prevent DarkGate infections and post-exploitation behaviors. Cybereason recommends the following actions:
This blog post is the summary of a full 16-page Threat Alert, which can be downloaded here.
Derrick Masters, Principal Security Analyst, Cybereason Global SOC
Derrick Masters is a Senior Security Analyst with the Cybereason Global SOC team. He is involved with threat hunting and purple teaming. Derrick's professional certifications include GCFA, GCDA, GPEN, GPYC, and GSEC.
Hema Loganathan, Security Analyst, Cybereason Global SOC
Hema Loganathan is a Security Analyst with the Cybereason Global SOC team. She is involved in Malop Investigation, Malware Analysis, Reverse Engineering and Threat Hunting. Hema has a Master of science degree in Information Systems.
Ralph Villanueva, Senior Security Analyst, Cybereason Global SOC
Ralph Villanueva is a Security Analyst with the Cybereason Global SOC team. He works hunting and combating emerging threats in the cybersecurity space. His interests include malware reverse engineering, digital forensics, and studying APTs. He earned his Masters in Network Security from Florida International University.
Kotaro Ogino, Principal Security Analyst, Cybereason Global SOC
Kotaro Ogino is a Principal Security Analyst with the Cybereason Global SOC team. He is involved in threat hunting and Extended Detection and Response (XDR). Kotaro has a bachelor of science degree in information and computer science.
Uma Shukla, Senior Security Analyst, Cybereason Global SOC
Uma is a Senior Security Analyst with the Cybereason Global SOC team. He is involved in threat hunting, making use cases on emerging threats and exploits. He has experience working as Incident Response Consultant, Application and Vulnerability management and holds multiple certifications like ECIH, CYSA+, BTL1, BTJA, QRadar Security Professional.
A Microsoft Office code execution vulnerability dubbed “Follina” allows delivery of malware without needing the victim to allow macro execution and is very likely to be mass-exploited. The Cybereason Defense Platform detects and prevents the exploitation of Follina and enables effective hunting of this vulnerability...
Behavioral Execution Prevention stops threats posed by malicious actors who use trusted operating system software and native processes to conduct attacks...
