{ "name": "DarkGate: Dancing the Samba With Alluring Excel Files", "slug": "darkgate-dancing-the-samba-with-alluring-excel-files", "description": "This analysis delves into a DarkGate malware campaign from March-April 2024 that exploits Microsoft Excel files to retrieve malicious payloads hosted on public-facing SMB file shares. It sheds light on the evolving tactics of this threat, which creatively abuses legitimate tools and services for distribution. The campaign targets various regions, primarily North America initially before spreading to Europe and parts of Asia. The report provides insights into DarkGate's background, infection chain, anti-analysis techniques, command and control infrastructure, and the indicators of compromise associated with this campaign.", "published": "2024-07-11T09:56:14+00:00", "created_at": "2024-07-11T09:56:14+00:00", "modified_at": "2024-07-11T10:08:37+00:00", "created_at_opencti": "2024-07-11T09:56:14+00:00", "author": "", "confidence": null, "report_types": [], "labels": [], "tags": [ "2024-07-11", "anti-analysis", "autohotkey", "darkgate", "excel", "sideloading" ], "related_entities": { "observables": [ { "id": "", "name": "78.142.18.222" }, { "id": "", "name": "5.180.24.155" }, { "id": "", "name": "167.99.115.33" }, { "id": "", "name": "http://nextroundst.com/aa" }, { "id": "", "name": "http://nextroundst.com/nlcsphze" }, { "id": "", "name": "http://nextroundst.com/ffcxlohx" }, { "id": "", "name": "http://diveupdown.com/hlsxaifp" }, { "id": "", "name": "http://diveupdown.com/aaa" }, { "id": "", "name": "http://diveupdown.com/yhmrmmgc" }, { "id": "", "name": "http://diveupdown.com/aa" }, { "id": "", "name": "http://adfhjadfbjadbfjkhad44jka.com/zanmjtvh" }, { "id": "", "name": "http://adfhjadfbjadbfjkhad44jka.com/xxhhodrq" }, { "id": "", "name": "http://adfhjadfbjadbfjkhad44jka.com/aa" }, { "id": "", "name": "wear626.com" }, { "id": "", "name": "updateleft.com" }, { "id": "", "name": "nextroundst.com" }, { "id": "", "name": "diveupdown.com" }, { "id": "", "name": "adfhjadfbjadbfjkhad44jka.com" }, { "id": "", "name": "b4156c2cd85285a2cb12dd208fcecb5d88820816b6371501e53cb47b4fe376fd" }, { "id": "", "name": "b28473a7e5281f63fd25b3cb75f4e3346112af6ae5de44e978d6cf2aac1538c1" }, { "id": "", "name": "a01672db8b14a2018f760258cf3ba80cda6a19febbff8db29555f46592aedea6" }, { "id": "", "name": "9b2be97c2950391d9c16497d4362e0feb5e88bfe4994f6d31b4fda7769b1c780" }, { "id": "", "name": "9a2a855b4ce30678d06a97f7e9f4edbd607f286d2a6ea1dde0a1c55a4512bb29" }, { "id": "", "name": "96e22fa78d6f5124722fe20850c63e9d1c1f38c658146715b4fb071112c7db13" }, { "id": "", "name": "585e52757fe9d54a97ec67f4b2d82d81a547ec1bd402d609749ba10a24c9af53" }, { "id": "", "name": "51f1d5d41e5f5f17084d390e026551bc4e9a001aeb04995aff1c3a8dbf2d2ff3" }, { "id": "", "name": "44a54797ca1ee9c896ce95d78b24d6b710c2d4bcb6f0bcdc80cd79ab95f1f096" }, { "id": "", "name": "4b45b01bedd0140ced78e879d1c9081cecc4dd124dcf10ffcd3e015454501503" }, { "id": "", "name": "378b000edf3bfe114e1b7ba8045371080a256825f25faaea364cf57fa6d898d7" }, { "id": "", "name": "2384abde79fae57568039ae33014184626a54409e38dee3cfb97c58c7f159e32" }, { "id": "", "name": "08d606e87da9ec45d257fcfc1b5ea169b582d79376626672813b964574709cba" }, { "id": "", "name": "51ab25a9a403547ec6ac5c095d904d6bc91856557049b5739457367d17e831a7" }, { "id": "", "name": "f9d8b85fac10f088ebbccb7fe49274a263ca120486bceab6e6009ea072cb99c0" }, { "id": "", "name": "ba8f84fdc1678e133ad265e357e99dba7031872371d444e84d6a47a022914de9" }, { "id": "", "name": "02acf78048776cd52064a0adf3f7a061afb7418b3da21b793960de8a258faf29" }, { "id": "", "name": "897b0d0e64cf87ac7086241c86f757f3c94d6826f949a1f0fec9c40892c0cecb" }, { "id": "", "name": "2e34908f60502ead6ad08af1554c305b88741d09e36b2c24d85fd9bac4a11d2f" } ], "malware": [ { "id": "legacy:malware:7c078901ec82eaf2", "name": "DarkGate - S1111", "slug": "darkgate-s1111" } ], "intrusion_sets": [ { "id": "c9081ddb-74de-48c5-8545-65ece21558ac", "name": "DarkGate", "slug": "darkgate" } ], "attack_patterns": [ { "id": "024c025e-d4ab-4d4e-a391-91d29564bc42", "name": "T1207" }, { "id": "ecaaa4cc-d487-4002-bcb2-f769acfcc38f", "name": "T1490" }, { "id": "4d36ebe8-4925-419a-bdd5-73f6427a975d", "name": "T1064" }, { "id": "32817170-4c07-427e-b8a5-80a733ae2550", "name": "T1497" }, { "id": "5bab4974-1fc2-4144-b093-28ebcb8767dc", "name": "T1114" }, { "id": "d9f271ed-7685-4362-b90d-f16a14102f39", "name": "T1489" }, { "id": "6e4e21cc-92cf-4564-920e-d509bd22fd40", "name": "T1574" }, { "id": "29398669-98ed-4766-9dac-f9632f7175ff", "name": "T1518" }, { "id": "cbd87c8c-3bed-461a-acef-56ffc8b87571", "name": "T1105" }, { "id": "45082a8e-9c79-470e-ad1b-decac7188e8f", "name": "T1083" }, { "id": "c3af9fd7-d307-4df4-9220-cc627938fb85", "name": "T1055" }, { "id": "7d7ac733-6442-416f-8669-c302dd0843b9", "name": "T1036" }, { "id": "5b7c66d1-0466-4ba7-af6f-eb82c2f9d05b", "name": "T1033" }, { "id": "0c836307-129e-4ff7-a532-180c633cacba", "name": "T1027" }, { "id": "09124a92-c11f-4571-b35b-ab0bce6dd081", "name": "T1112" }, { "id": "d9b45b3b-d093-4016-89e9-48f31ff4d05d", "name": "T1566" }, { "id": "74d6e294-54d1-4a21-9dfc-df5870f8ec8e", "name": "T1003" }, { "id": "9b6064e6-a05b-4e95-baf5-34d180bc9221", "name": "T1059" } ], "vulnerabilities": [ { "id": "", "name": "CVE-2024-3400" } ] }, "external_refs": [ "https://unit42.paloaltonetworks.com/darkgate-malware-uses-excel-files/", "https://otx.alienvault.com/pulse/668fc85e88b1a9e7b31be48e" ] }