Malware Analysis Report: DarkGate – From AutoIt to Shellcode Execution
The DarkGate malware family is known for its variety of features including the download and execution of malicious payloads, information stealing and keylogging abilities, as well as employing multiple evasion techniques. It is being sold as a service to cybercriminals and has been active since at least 2018, but only recently gained in popularity after the Qakbot infrastructure was taken down by law enforcement. What stands out is its rather complex delivery methods and multitude of evasion tactics to avoid detection, one of which is the abuse if AutoIt scripts to execute native code and not just commands.
VMRay’s threat researchers have taken an in-depth look into the DarkGate malware family to gain insights into the inner workings of this malware family as well as to improve detection and configuration extraction. In this report, we want to specifically highlight the interesting way by which DarkGate accomplishes executing malicious native code via AutoIt scripts.
Topics include:
- DarkGate’s infection chain;
- Usage of AutoIt scripts;
- Shellcode execution;
- Variants of DarkGate;
- Payloads in DarkGate;