The Darkgate Menace: Leveraging Autohotkey & Attempt to Evade Smartscreen
Essential information
- Published
- 30/04/2024 14:13
- Modified
- 01/05/2024 23:09
- Tags
- CVE-2023-36025 CVE-2024-21412 autohotkey darkgate html microsoft defender smartscreen xls file
- Related entities
- 15 observables, 1 intrusion sets (apt), 17 techniques (mitre), 1 malware
Description
This report details a novel infection chain associated with DarkGate malware, a Remote Access Trojan (RAT) that exploits the AutoHotkey utility and attempts to bypass Microsoft Defender SmartScreen. The infection begins with an HTML-based entry point or an XLS file, utilizing techniques such as disguising malicious content as legitimate files. The attack chain involves downloading and executing various components, including VBScript, PowerShell scripts, and AutoHotkey scripts, ultimately leading to the execution of the DarkGate payload. The report also highlights the vulnerability CVE-2023-36025 and its exploitation to evade SmartScreen warnings, as well as persistence mechanisms employed by the malware.