Darkgate Malware Weaponizing XLSX, HTML, & PDF To Attack Windows Machines

Hackers often target XLSX, HTML, and PDF files as they are widely used, and their trustable file formats also attract them.

This makes it easier to deliver them successfully to recipients who may not be aware.

Forcepoint researchers recently asserted that the Darkgate malware is distributed via phishing emails that have malicious attachments such as XLSX, HTML, or pdf which take over accounts and replicate themselves. 

It is persistent in the sense that it can go unnoticed while endangering lost data, fraud, blackmail, and exposed sensitive information.

ANYRUN malware sandbox’s 8th Birthday Special Offer: Grab 6 Months of Free Service

Technical Analysis

Forcepoint X-Labs analyzed a recent Darkgate campaign initiated through a phishing email containing a fake Intuit Quickbooks invoice PDF. 

It tricks users into clicking a link to install Java but instead redirects them to a geofenced URL that surreptitiously downloads the next malware stage payload.

A malicious “may-document_[number].pdf” file analysis demonstrates an invoice PDF with an embedded hyperlink in a large XObject image.

Clicking the link downloads a malicious .jar file. The associated URLs share patterns with those used by QakBot actors before, indicating potential connections.

Analyzing the malicious “.jar” file with JD-GUI exposed a “.PNG” and an obfuscated “.class” file containing code to download a “.ZIP” file to C:\Downloads\ using a curl.exe command. 

Upon downloading the ZIP, it leverages PowerShell’s expand-archive to extract the contents.

This class file can also download and save MSI files. Within the ZIP, AutoIt3.exe and a compiled AutoIt script in .a3x format have been extracted, which are then run by the JAR via an obfuscated cmd command.

Darkgate has used AutoIt elsewhere, and this script was compiled using AutoIt 3.26+ with AU3!EA06 headers. Further investigation is needed to determine what this script does.

The operations BITXOR and BinaryToString() of AutoIt are difficult to understand. This tool merges a large data stream into a local variable.

DLLSTRUCTCREATE() library function allows bytes to be loaded into memory and then abuse system resources. Scripts obtain shell code and join with the server botnet remotely.

The Darkgate campaign deploys phishing emails pretending to be QuickBooks invoices to make users download malicious JAR files containing directions for more payloads, such as obfuscated AutoIt scripts. 

These scripts run shell code and communicate to remote servers. The Darkgate campaign has nicely blended professional malware techniques and historical URL patterns consequently demonstrating an advanced persistent threat (APT).

IOCs

Initial Stage URLs:

• afarm[.]net/uvz2q
• affixio[.]com/emh0c
• affiliatebash[.]com/myu0f
• afcmanager[.]net/jxk6m
• adventsales[.]co[.]uk/iuw8a
• amikamobile[.]com/ayu4d
• adztrk[.]com/ixi7r
• aerospaceavenue[.]com/cnz8g
• amishwoods[.]com/jwa4v

Second stage URL:

• smbeckwithlaw[.]com/1[.]zip

C2:

• ​kindupdates[.]com

Free Webinar on Live API Attack Simulation: Book Your Seat | Start protecting your APIs from hackers