Jump to content

Recommended Posts

Posted

Traditional antivirus software has a tough time detecting malware used in the campaign.

 

rstDIWD.png.19c0b0f3c3432b14638c46370d283a89.png

 

A new, active campaign is using malware capable of dancing around traditional antivirus solutions in order to empty cryptocurrency wallets.

 

The malware is being used in the DarkGate campaign, a previously undetected hacking operation uncovered this week by enSilo security researchers.

 

According to the team, DarkGate is currently underway in Spain and France, targeting Microsoft Windows PCs by way of torrent files.

 

Torrent files are most commonly associated with pirated content, but the technology itself is not illegal and can be used by consumers and businesses alike to share files of large sizes.

In this case, however, the infected .torrent files masquerade as pirated versions of popular television shows and films including The Walking Dead.

 

The DarkGate malware uses a variety of obfuscation techniques to circumvent traditional antivirus solutions.

The malware's command-and-control (C2) structure, which allows operators to send commands remotely and for the malware to transfer stolen data, is cloaked in DNS records from legitimate services including Akamai CDN and AWS.

 

By hiding the C2 under the skirts of reputable DNS services, this allows the malware to pass a reputation check when it comes to shady services or bulletproof hosting platforms which have become associated with malware and criminal campaigns.

 

In addition, DarkGate uses vendor-based checks and actions, including a method known as "process hollowing" to avoid detection by AV software.

This technique requires a legitimate software program to be loaded in a suspended state -- but only to act as a container for malicious processes which are then able to operate instead of the trustworthy program.

 

DarkGate will also perform a number of checks in an attempt to ascertain whether or not it has landed in a sandbox environment -- used by researchers to analyze and unpack malicious software -- and will perform a scan for common AV systems, such as Avast, Bitdefender, Trend Micro, and Kaspersky.

 

The malware also makes use of recovery tools to prevent files critical to its operation from being deleted.

 

enSilo says that the malware author "invested significant time and effort into remaining undetected," and during testing, it was found that "most AV vendors failed to detect it."

 

When executed, DarkGate implements two User Account Control (UAC) bypass techniques in order to gain system privileges, download, and execute a range of additional malware payloads.

 

These packages give DarkGate the ability to steal credentials associated with a victim's cryptocurrency wallets, execute ransomware payloads, create a remote access tunnel for operators to hijack the system, and also implement covert cryptocurrency mining operations.

 

According to enSilo, the C2 is overseen by human operators who act when they are alerted to new infections related to cryptocurrency wallets by installing the remote access tools necessary to compromise virtual coin funds.

 

 

Source:

Most antivirus programs fail to detect this cryptocurrency-stealing malware | ZDNet

76c90dd0e79a714317a8daeecc1584d2.png

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...