Notice: Function _load_textdomain_just_in_time was called incorrectly. Translation loading for the easy-accordion-free domain was triggered too early. This is usually an indicator for some code in the plugin or theme running too early. Translations should be loaded at the init action or later. Please see Debugging in WordPress for more information. (This message was added in version 6.7.0.) in /home/mother99/jacksonholdingcompany.com/wp-includes/functions.php on line 6114

Notice: Function _load_textdomain_just_in_time was called incorrectly. Translation loading for the zoho-flow domain was triggered too early. This is usually an indicator for some code in the plugin or theme running too early. Translations should be loaded at the init action or later. Please see Debugging in WordPress for more information. (This message was added in version 6.7.0.) in /home/mother99/jacksonholdingcompany.com/wp-includes/functions.php on line 6114

Notice: Function _load_textdomain_just_in_time was called incorrectly. Translation loading for the wordpress-seo domain was triggered too early. This is usually an indicator for some code in the plugin or theme running too early. Translations should be loaded at the init action or later. Please see Debugging in WordPress for more information. (This message was added in version 6.7.0.) in /home/mother99/jacksonholdingcompany.com/wp-includes/functions.php on line 6114

Warning: Cannot modify header information - headers already sent by (output started at /home/mother99/jacksonholdingcompany.com/wp-includes/functions.php:6114) in /home/mother99/jacksonholdingcompany.com/wp-includes/rest-api/class-wp-rest-server.php on line 1893

Warning: Cannot modify header information - headers already sent by (output started at /home/mother99/jacksonholdingcompany.com/wp-includes/functions.php:6114) in /home/mother99/jacksonholdingcompany.com/wp-includes/rest-api/class-wp-rest-server.php on line 1893

Warning: Cannot modify header information - headers already sent by (output started at /home/mother99/jacksonholdingcompany.com/wp-includes/functions.php:6114) in /home/mother99/jacksonholdingcompany.com/wp-includes/rest-api/class-wp-rest-server.php on line 1893

Warning: Cannot modify header information - headers already sent by (output started at /home/mother99/jacksonholdingcompany.com/wp-includes/functions.php:6114) in /home/mother99/jacksonholdingcompany.com/wp-includes/rest-api/class-wp-rest-server.php on line 1893

Warning: Cannot modify header information - headers already sent by (output started at /home/mother99/jacksonholdingcompany.com/wp-includes/functions.php:6114) in /home/mother99/jacksonholdingcompany.com/wp-includes/rest-api/class-wp-rest-server.php on line 1893

Warning: Cannot modify header information - headers already sent by (output started at /home/mother99/jacksonholdingcompany.com/wp-includes/functions.php:6114) in /home/mother99/jacksonholdingcompany.com/wp-includes/rest-api/class-wp-rest-server.php on line 1893

Warning: Cannot modify header information - headers already sent by (output started at /home/mother99/jacksonholdingcompany.com/wp-includes/functions.php:6114) in /home/mother99/jacksonholdingcompany.com/wp-includes/rest-api/class-wp-rest-server.php on line 1893

Warning: Cannot modify header information - headers already sent by (output started at /home/mother99/jacksonholdingcompany.com/wp-includes/functions.php:6114) in /home/mother99/jacksonholdingcompany.com/wp-includes/rest-api/class-wp-rest-server.php on line 1893
{"id":1899,"date":"2023-12-07T21:54:39","date_gmt":"2023-12-07T21:54:39","guid":{"rendered":"https:\/\/jacksonholdingcompany.com\/recent-darkgate-activity-amp-trends-shatak-jain\/"},"modified":"2023-12-07T21:54:39","modified_gmt":"2023-12-07T21:54:39","slug":"recent-darkgate-activity-amp-trends-shatak-jain","status":"publish","type":"post","link":"https:\/\/jacksonholdingcompany.com\/recent-darkgate-activity-amp-trends-shatak-jain\/","title":{"rendered":"Recent DarkGate Activity & Trends Shatak Jain"},"content":{"rendered":"

Introduction<\/p>\n

DarkGate is a malware family, dating back to 2018, that gained prominence after the demise of Qakbot with a Malware-as-a-Service (MaaS) offering advertised in underground cybercrime forums starting in the summer of 2023. This blog examines DarkGate intrusion trends observed by ThreatLabz between June and October 2023.
\nKey Takeaways<\/p>\n

\tDarkGate activity surged in late September and early October 2023.
\n\tAccording to our customer telemetry, the technology sector is the most impacted by DarkGate attack campaigns.
\n\tMost DarkGate domains are 50 to 60 days old, which may indicate a deliberate approach where threat actors create and rotate domains at specific intervals.<\/p>\n

Trend 1: DarkGate activity surges in late September, early October<\/p>\n

To better understand DarkGate distribution trends, the ThreatLabz team analyzed hostnames, registration information, IP addresses, website content, and any recent patterns that emerged.<\/p>\n

Increase in DarkGate domains<\/p>\n

Our analysis revealed that there was a significant rise in the number of active DarkGate domains during the last week of September 2023. This means that more DarkGate websites associated with illegal activities were active during this specific time period.<\/p>\n

Uptick in DarkGate transactions <\/p>\n

DarkGate transactions increased in late September and into October. Notably, there was a substantial spike in transactions on October 10, 2023. This suggests that the threat actors behind Darkgate were particularly active during this time, possibly executing a series of attacks.<\/p>\n

This DarkGate transaction data was compiled by observing the Zscaler cloud. Each time an infected machine made contact with a C2 server was counted as a transaction. <\/p>\n

Figure 1: Illustrates spikes in DarkGate command-and-control (C2) activity by date
\nTrend 2: Technology sector most targeted by DarkGate<\/p>\n

Based on analysis of our customer telemetry, the technology industry is the most targeted by DarkGate at 36.7%. Food, beverage, and tobacco come in second at 12.7%. <\/p>\n

Figure 2: Industries most targeted by DarkGate
\nTrend 3: Most DarkGate domains are 50 to 60 days old<\/p>\n

ThreatLabz found a concentrated level of activity (such as serving websites, handling transactions, or participating in network communications) among hostnames that have been in existence for 50-60 days. The fact that DarkGate domains follow this pattern could indicate that threat actors are taking a systematic approach where they create and rotate domains at specific intervals. Most likely, this intentional pattern perpetrated by threat actors is a way of evading security measures that target known malicious domains. <\/p>\n

Figure 3: Age distribution of DarkGate domains based on transaction volume
\nConclusion<\/p>\n

The recent surge in DarkGate’s activity can be attributed to its use as a replacement for Qakbot. In addition to staying on top of the threat of DarkGate malware, Zscaler’s ThreatLabz team continuously monitors for new and emerging threats and shares its findings with the wider security community.
\nZscaler Coverage &amp; Indicators of Compromise (IOCs)<\/p>\n

Zscaler’s multilayered cloud security platform detects indicators related to DarkGate at various levels. Zscaler Sandbox played a particularly crucial role in analyzing the behavior of various files. Through this sandbox analysis, the threat scores and specific MITRE ATT&amp;CK techniques triggered were identified, as illustrated in the screenshot provided below. Zscaler\u2019s advanced threat protection capabilities and comprehensive zero trust approach empowers cybersecurity professionals with critical insights into malware behavior, enabling them to effectively detect and counter the threats posed by malicious actors.<\/p>\n

\tWin64.Downloader.DarkGate
\n\tWin32.Trojan.DarkGate
\n\tWin64.Trojan.DarkGate
\n\tLNK.Downloader.DarkGate
\n\tVBS.Downloader.DarkGate
\n\tJS.Downloader.DarkGate<\/p>\n

Figure 4: Zscaler Cloud Sandbox <\/p>\n

MITRE ATT&amp;CK TTP\u2019s <\/p>\n

\t\t\tTactic
\n\t\t\tTechnique ID
\n\t\t\tTechnique ID<\/p>\n

\t\t\tInitial Access
\n\t\t\tT1566
\n\t\t\tPhishing<\/p>\n

\t\t\tExecution<\/p>\n

\t\t\t\tT1204
\n\t\t\t\tT1059
\n\t\t\t\tT1569<\/p>\n

\t\t\t\tUser Execution
\n\t\t\t\tCommand and Scripting Interpreter
\n\t\t\t\tSystem Services<\/p>\n

\t\t\tPersistence
\n\t\t\tT1547
\n\t\t\tBoot or Logon Start Execution<\/p>\n

\t\t\tDefense Evasion <\/p>\n

\t\t\t\tT1027
\n\t\t\t\tT1070.004
\n\t\t\t\tT1202
\n\t\t\t\tT1564.001
\n\t\t\t\tT1140 <\/p>\n

\t\t\t\tObfuscated Files or Information
\n\t\t\t\tFile Deletion
\n\t\t\t\tIndirect Command Execution
\n\t\t\t\tHidden Files and Directories
\n\t\t\t\tDeobfuscate\/Decode Files for Information<\/p>\n

\t\t\tCredential Access<\/p>\n

\t\t\tT1555.003<\/p>\n

\t\t\tCredentials from Web Browsers<\/p>\n

\t\t\tDiscovery<\/p>\n

\t\t\t\tT1016
\n\t\t\t\tT1083
\n\t\t\t\tT1057
\n\t\t\t\tT1082<\/p>\n

\t\t\t\tSystem Network Configuration Discovery
\n\t\t\t\tFile and Directory Discovery
\n\t\t\t\tProcess Discovery
\n\t\t\t\tSystem Information Discovery<\/p>\n

\t\t\tCommand and Control
\n\t\t\tT1071
\n\t\t\tApplication Layer Protocol <\/p>\n

Indicators of Compromise (IoCs)<\/p>\n

\tPhishing PDF: 55f16d7f0a1683f32b946c03bdda79ca
\n\tMalicious DLL: a2fb0b0d34d71073cd037e872d40ea14
\n\tEncoded AutoIt Script: 0ea7d1a7ad1b24835ca0b2fc6c51c15a
\n\tAutoIt Loader Benign: c56b5f0201a3b3de53e561fe76912bfd
\n\tDarkGate Payload: f242ce468771de8c7a23568a3b03a5e2
\n\tMalicious ZIP: d2efccdb50c7450e8a99fec37a805ce6
\n\tLNK File: 7791017a97289669f5f598646ef6d517
\n\tPhishing PDF: 803103fe4b32c86fb3f382ee17dfde44
\n\tMalicious ZIP: 0a341353e5311d8f01f582425728e1d7
\n\tVBS File: 3df59010997ed2d70c5f7095498b3b3f
\n\tEncoded AutoIt Script: 660bc32609a1527c90990158ef449757
\n\tAutoIt Loader Benign: c56b5f0201a3b3de53e561fe76912bfd
\n\tDarkGate Payload: 9bf2ae2da16e9a975146c213abd7cd4f
\n\tMalicious ZIP: 9f93952e425110de34e00ebd6d6daab3
\n\tVBS File: c78dfe0f9b4fd732c8e99eb495ed9958
\n\tEncoded AutoIt Script: 660bc32609a1527c90990158ef449757
\n\tAutoIt Loader Benign: c56b5f0201a3b3de53e561fe76912bfd
\n\tDarkGate Payload: 9bf2ae2da16e9a975146c213abd7cd4f
\n\tMalicious ZIP: 54e65e96d2591106a2c41168803c77ff
\n\tJS File: 57cfc3b0b53e856c78b47867d7013516
\n\tPhishing Email: 0a50d4ea1a9d36f0c65de0e78eacbe95
\n\tPDF document: 097cbe9af6e66256310023ff2fbadac6
\n\tMalicious CAB File: 6ecd98dfd52136cff6ed28ef59b3f760
\n\tMSI File: 8ef6bc142843232614b092fac948562d
\n\tCAB file dropped from MSI: a169cebb4009ecfb62bb8a1faf09182f<\/p>\n

Command-and-control (C2)<\/p>\n

\t\u200b\u200bluxury-event-rentals[.]com
\n\tdrvidhya[.]in
\n\talianzasuma[.]com
\n\tcpm.com[.]py
\n\tcorialopolova[.]com
\n\tskylineprodutora[.]com.br
\n\tmedsure[.]com.br
\n\thumanrecruitasia[.]com
\n\tjourneotravel[.]com
\n\tskylineprodutora.com[.]br
\n\tahantadevnet[.]org
\n\tyellowstone[.]com.mm
\n\tasiaprofessionals[.]net
\n\taxecapital[.]ro
\n\tsemquedagotas[.]com.br
\n\treverasuplementos[.]fun
\n\ttikwave[.]site
\n\tgrupec[.]com.co
\n\tchatpipoca[.]net
\n\tncsinternationalcollege[.]com
\n\tgatraders.com[.]pk
\n\tibuytech[.]pk
\n\twinstonandfriendz[.]ca
\n\tskincaremulher[.]fun
\n\tadam-xii-rpl.my[.]id
\n\tmycopier.com[.]my
\n\tjapaaesthetics[.]com
\n\tmsteamseyeappstore[.]com
\n\tyouth[.]digital
\n\troundstransports[.]com
\n\tmfleader.com[.]ar
\n\tfefasa[.]hn
\n\tnile-cruiise-egypt[.]com
\n\tflyforeducation[.]com
\n\texpertaitalia[.]eu
\n\tplataformaemrede[.]com.br
\n\trunnerspacegifts[.]com\/umn\/
\n\tkiwifare[.]net
\n\tgetldrrgoodgame[.]com
\n\thmas[.]mx
\n\tdarkgate[.]com
\n\t5.188.87.58
\n\t5.42.77.33
\n\t45.144.28.244
\n\t94.228.169.123
\n\t94.228.169[.]143[:]2351\/
\n\t94.228.169[.]143[:]8080\/
\n\t66.42.110.147
\n\t94.131.106.78
\n\t88.119.175.245
\n\t45.32.222.253
\n\tgrupowcm[.]com[.]br
\n\tthekhancept[.]com
\n\teelontech[.]com
\n\tbligevale[.]co[.]zw
\n\tdhtech[.]ae
\n\ttechs[.]com
\n\tgsrhrservices[.]com
\n\tglowriters[.]com
\n\ta2zfortextile[.]com
\n\talpileannn[.]com
\n\tboutiquedhev[.]com
\n\thypothequeswestisland[.]com
\n\tonetabmusic[.]com
\n\tsirishareddy[.]info
\n\tappapi[.]store
\n\tsictalks[.]com
\n\tnia-dbrowntestserver[.]com[.]ng
\n\tofc[.]ai
\n\tunasd[.]org
\n\tplusmag[.]ro
\n\tbeautifullike[.]com
\n\tgsrglobal[.]org
\n\twinstonandfriendz[.]ca
\n\tdivinfosystem[.]com
\n\tsupershuttles[.]co[.]za
\n\tziaintegracion[.]com
\n\tthemarijuanashow[.]com
\n\tblackshine[.]lk
\n\tderoze[.]net
\n\tvtektv[.]com
\n\tdna-do-gamer[.]com
\n\tkalismprivateltd[.]co[.]uk
\n\tarshany[.]com
\n\tkelotecnologia[.]com
\n\tmillennialradio[.]es
\n\tphomecare.co.uk\u00a0\u00a0<\/p>\n

\u200b<\/p>\n

\n
\n
\n
\n
\n
\n
\n

Zscaler: A Leader in the 2023 Gartner\u00ae Magic Quadrant\u2122 for Security Service Edge (SSE)<\/p>\n

Get the full report<\/a><\/p><\/div>\n

<\/div>\n<\/div>\n
Your world, secured<\/a><\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n
\n
\n
\n
\n
\n