August 23, 2023 By Jérôme Segura
In July 2023, we observed a malvertising campaign that lured potential victims to a fraudulent site for a Windows IT management tool. Unlike previous similar attacks, the final payload was packaged differently and not immediately recognizable.
The decoy file came as an MSI installer containing an AutoIT script where the payload was obfuscated to avoid detection. Upon analysis and comparison, we determined that this sample was an updated version of DarkGate, a multi purpose malware toolkit first identified in 2018.
Since the malware's obfuscation and encryption features have been recently documented by other researchers, we will focus on two of its web delivery methods, namely the use of malicious ads and search engine poisoning.
The campaigns we observed coincide with an announcement from DarkGate's developer in June as well, boasting about the malware's new capabilities and limited customer seats.