DarkGate Miner Could Put Your Passwords at Risk - How to Protect Yourself
Adi Zeligson and Rotem Kerner, two security researchers working for enSilo, recently saw that a new malware family called DarkGate was flying around. Most security products were not detecting it, so they decided to take a closer look. They quickly realized that what they had on their hands was a rather sophisticated threat.
The experts have seen a couple of VBS files disguised as torrents dropping DarkGate on users in France and Spain. The first "torrent" is supposedly distributing a Spanish entertainment show, and the second one is named to fool users into thinking that it contains an episode of "The Walking Dead". Taking advantage of users' desire to consume content without paying for it is nothing new, but for that little extra something, the crooks have hidden an additional functionality in the file supposedly distributing the hit zombie apocalypse show. If you run it, it will automatically send out some emails reporting a fake failed delivery to an unknown number of users. If they open the attached file in the message, they too will get infected with DarkGate.
Table of Contents
A multi-talented threat
The range of tasks DarkGate can perform is so wide that you can't really classify it as a specific type of malware. It has the ability to attack the victim on many different fronts, and it also comes with some pretty good detection evasion capabilities.
Once the fake torrent downloads DarkGate's configuration files, the malware achieves persistence by modifying the host's registry, and it then proceeds to call its Command & Control server (C&C). A cryptocurrency mining module is deployed, but before it does that, DarkGate checks for the existence of certain files and processes which would indicate the presence of some security products. Depending on what it finds, it will modify its techniques a bit, and if it senses that it's in a virtual machine or a sandbox, it will exit altogether in an attempt to stop security specialists from analyzing it.
When it operates, the cryptocurrency miner is not visible to the user, but to make sure you don't notice it at all, DarkGate has a way of bypassing UAC (User Access Control or the popup that appears every time you try to run an application that needs administrative rights).
Having a cryptocurrency miner running on your PC is a less than ideal situation, but if we have to look at the silver lining, from a data security standpoint, it poses no threat at all. Sadly, DarkGate has a few other components that can put your information in peril.
A password-stealing module
After taking a closer look at the source code, enSilo's researchers found strings that are all but identical to what they saw when they were looking into another piece of malware – Golroted. Golroted, in its pure form, is a classic password stealer, but for the DarkGate campaign, the crooks have altered the configuration which means that it's targeting cryptocurrency wallets only. On the face of it, the crooks' main goal with DarkGate is to illegally obtain as many digital coins as possible. They have more than a few ways of doing it as well.
Quite apart from the mining operation and the potential siphoning of cryptocurrency from victims' wallets, the criminals can also try the stolen passwords on other online services. As we all know, people tend to reuse passwords which means that the same credentials often unlock numerous accounts, and access to sensitive information is just a login form away. This sensitive information can then be sold on an underground market for more bitcoins. Even that's not all, though.
There’s no autopilot with DarkGate
DarkGate is something of a rare beast. After infection, most malware families contact their C&C and send out some information about the host. A piece of software installed on the C&C analyzes the data and replies with further instructions. With DarkGate, that piece of software is missing.
Instead, the malware operator manually decides what the next step should be. According to enSilo, if the crooks decide that the target is of particular interest, they could send a customized backdoor designed to steal a lot of sensitive data. In other cases, the experts have seen DarkGate demonstrate ransomware capabilities as well.
In other words, you can never know what sort of damage DarkGate is going to cause. You can be pretty sure that you want to keep it as far away from your computer as possible, though. And how can you do that?
It would be easy to wave a sanctimonious finger at the people who illegally download TV shows and say that they got what they deserved, but that's hardly going to help anyone. The fact of the matter is, pirated content and torrents can be very dangerous indeed, but even if you pay for everything you watch, you could still end up in trouble. This, unfortunately, is what the state of today's threat landscape is, and it's unlikely to change any time soon. What all this means is that you should learn to be a bit more careful.
