{"description": "Enterprise techniques used by DarkGate, ATT&CK software S1111 (v1.0)", "name": "DarkGate (S1111)", "domain": "enterprise-attack", "versions": {"layer": "4.5", "attack": "17", "navigator": "5.1.0"}, "techniques": [{"techniqueID": "T1548", "showSubtechniques": true}, {"techniqueID": "T1548.002", "comment": "[DarkGate](https://attack.mitre.org/software/S1111) uses two distinct User Account Control (UAC) bypass techniques to escalate privileges.(Citation: Ensilo Darkgate 2018)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1134", "showSubtechniques": true}, {"techniqueID": "T1134.004", "comment": "[DarkGate](https://attack.mitre.org/software/S1111) relies on parent PID spoofing as part of its \"rootkit-like\" functionality to evade detection via Task Manager or Process Explorer.(Citation: Trellix Darkgate 2023)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1098", "showSubtechniques": true}, {"techniqueID": "T1098.007", "comment": "[DarkGate](https://attack.mitre.org/software/S1111) elevates accounts created through the malware to the local administration group during execution.(Citation: Ensilo Darkgate 2018)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1583", "showSubtechniques": true}, {"techniqueID": "T1583.001", "comment": "[DarkGate](https://attack.mitre.org/software/S1111) command and control includes hard-coded domains in the malware chosen to masquerade as legitimate services such as Akamai CDN or Amazon Web Services.(Citation: Trellix Darkgate 2023)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1071", "showSubtechniques": true}, {"techniqueID": "T1071.004", "comment": "[DarkGate](https://attack.mitre.org/software/S1111) can cloak command and control traffic in DNS records from legitimate services to avoid reputation-based detection techniques. (Citation: Ensilo Darkgate 2018)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1010", "comment": "[DarkGate](https://attack.mitre.org/software/S1111) will search for cryptocurrency wallets by examining application window names for specific strings.(Citation: Ensilo Darkgate 2018) [DarkGate](https://attack.mitre.org/software/S1111) extracts information collected via NirSoft tools from the hosting process's memory by first identifying the window through the FindWindow API function.(Citation: Ensilo Darkgate 2018)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1119", "comment": "[DarkGate](https://attack.mitre.org/software/S1111) searches for stored credentials associated with cryptocurrency wallets and notifies the command and control server when identified.(Citation: Ensilo Darkgate 2018)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1547", "showSubtechniques": true}, {"techniqueID": "T1547.001", "comment": "[DarkGate](https://attack.mitre.org/software/S1111) installation includes AutoIt script execution creating a shortcut to itself as an LNK object, such as bill.lnk, in the victim startup folder.(Citation: Ensilo Darkgate 2018)(Citation: Rapid7 BlackBasta 2024) [DarkGate](https://attack.mitre.org/software/S1111) installation finishes with the creation of a registry Run key.(Citation: Ensilo Darkgate 2018)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1115", "comment": "[DarkGate](https://attack.mitre.org/software/S1111) starts a thread on execution that captures clipboard data and logs it to a predefined log file.(Citation: Ensilo Darkgate 2018)(Citation: Rapid7 BlackBasta 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1059", "showSubtechniques": true}, {"techniqueID": "T1059.001", "comment": "[DarkGate](https://attack.mitre.org/software/S1111) has used PowerShell to create a remote shell.(Citation: Rapid7 BlackBasta 2024) ", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1059.003", "comment": "[DarkGate](https://attack.mitre.org/software/S1111) uses a malicious Windows Batch script to run the Windows code utility to retrieve follow-on script payloads.(Citation: Trellix Darkgate 2023) [DarkGate](https://attack.mitre.org/software/S1111) has also used `cmd.exe` to create a remote shell.(Citation: Rapid7 BlackBasta 2024) ", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1059.005", "comment": "[DarkGate](https://attack.mitre.org/software/S1111) initial infection mechanisms include masquerading as pirated media that launches malicious VBScript on the victim.(Citation: Ensilo Darkgate 2018)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1059.010", "comment": "[DarkGate](https://attack.mitre.org/software/S1111) uses AutoIt scripts dropped to a hidden directory during initial installation phases, such as `test.au3`.(Citation: Ensilo Darkgate 2018)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1136", "showSubtechniques": true}, {"techniqueID": "T1136.001", "comment": "[DarkGate](https://attack.mitre.org/software/S1111) creates a local user account, SafeMode, via net user commands.(Citation: Ensilo Darkgate 2018)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1555", "comment": "[DarkGate](https://attack.mitre.org/software/S1111) use Nirsoft Network Password Recovery or NetPass tools to steal stored RDP credentials in some malware versions.(Citation: Trellix Darkgate 2023)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1486", "comment": "[DarkGate](https://attack.mitre.org/software/S1111) can deploy follow-on ransomware payloads.(Citation: Ensilo Darkgate 2018)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1005", "comment": "[DarkGate](https://attack.mitre.org/software/S1111) has stolen `sitemanager.xml` and `recentservers.xml` from `%APPDATA%\\FileZilla\\` if present.(Citation: Rapid7 BlackBasta 2024) ", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1001", "comment": "[DarkGate](https://attack.mitre.org/software/S1111) will retrieved encrypted commands from its command and control server for follow-on actions such as cryptocurrency mining.(Citation: Ensilo Darkgate 2018)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1622", "comment": "[DarkGate](https://attack.mitre.org/software/S1111) checks the BeingDebugged flag in the PEB structure during execution to identify if the malware is being debugged.(Citation: Trellix Darkgate 2023)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1140", "comment": "[DarkGate](https://attack.mitre.org/software/S1111) installation includes binary code stored in a file located in a hidden directory, such as shell.txt, that is decrypted then executed.(Citation: Ensilo Darkgate 2018) [DarkGate](https://attack.mitre.org/software/S1111) uses hexadecimal-encoded shellcode payloads during installation that are called via Windows API CallWindowProc() to decode and then execute.(Citation: Trellix Darkgate 2023)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1561", "showSubtechniques": true}, {"techniqueID": "T1561.001", "comment": "[DarkGate](https://attack.mitre.org/software/S1111) has deleted all files in the Mozilla directory using the following command: `/c del /q /f /s C:\\Users\\User\\AppData\\Roaming\\Mozilla\\firefox*`.(Citation: Rapid7 BlackBasta 2024) ", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1480", "comment": "[DarkGate](https://attack.mitre.org/software/S1111) uses per-victim links for hosting malicious archives, such as ZIP files, in services such as SharePoint to prevent other entities from retrieving them.(Citation: Trellix Darkgate 2023)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1041", "comment": "[DarkGate](https://attack.mitre.org/software/S1111) uses existing command and control channels to retrieve captured cryptocurrency wallet credentials.(Citation: Ensilo Darkgate 2018)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1083", "comment": "Some versions of [DarkGate](https://attack.mitre.org/software/S1111) search for the hard-coded folder C:\\Program Files\\e Carte Bleue.(Citation: Ensilo Darkgate 2018)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1657", "comment": "[DarkGate](https://attack.mitre.org/software/S1111) can deploy payloads capable of capturing credentials related to cryptocurrency wallets.(Citation: Ensilo Darkgate 2018)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1564", "showSubtechniques": true}, {"techniqueID": "T1564.001", "comment": "[DarkGate](https://attack.mitre.org/software/S1111) initial installation involves dropping several files to a hidden directory named after the victim machine name.(Citation: Ensilo Darkgate 2018) Additionally, [DarkGate](https://attack.mitre.org/software/S1111) uses [attrib](https://attack.mitre.org/software/S1176) to hide a directory in the following command: ` C:\\Windows\\system32\\attrib.exe\u201d +h C:/rjtu/`.(Citation: gbhackers Darkgate Malware 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1665", "comment": "[DarkGate](https://attack.mitre.org/software/S1111) command and control includes hard-coded domains in the malware masquerading as legitimate services such as Akamai CDN or Amazon Web Services.(Citation: Trellix Darkgate 2023)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1574", "comment": "[DarkGate](https://attack.mitre.org/software/S1111) edits the Registry key HKCU\\Software\\Classes\\mscfile\\shell\\open\\command to execute a malicious AutoIt script.(Citation: Ensilo Darkgate 2018) When eventvwr.exe is executed, this will call the Microsoft Management Console (mmc.exe), which in turn references the modified Registry key.", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1574.001", "comment": "[DarkGate](https://attack.mitre.org/software/S1111) includes one infection vector that leverages a malicious \"KeyScramblerE.DLL\" library that will load during the execution of the legitimate KeyScrambler application.(Citation: Trellix Darkgate 2023)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1574.007", "comment": "[DarkGate](https://attack.mitre.org/software/S1111) overrides the %windir% environment variable by setting a Registry key, HKEY_CURRENT_User\\Environment\\windir, to an alternate command to execute a malicious AutoIt script. This allows [DarkGate](https://attack.mitre.org/software/S1111) to run every time the scheduled task DiskCleanup is executed as this uses the path value %windir%\\system32\\cleanmgr.exe for execution.(Citation: Ensilo Darkgate 2018)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1562", "showSubtechniques": true}, {"techniqueID": "T1562.001", "comment": "[DarkGate](https://attack.mitre.org/software/S1111) will terminate processes associated with several security software products if identified during execution.(Citation: Ensilo Darkgate 2018)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1070", "showSubtechniques": true}, {"techniqueID": "T1070.004", "comment": "[DarkGate](https://attack.mitre.org/software/S1111) has deleted its staging directories.(Citation: Rapid7 BlackBasta 2024) ", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1105", "comment": "[DarkGate](https://attack.mitre.org/software/S1111) retrieves cryptocurrency mining payloads and commands in encrypted traffic from its command and control server.(Citation: Ensilo Darkgate 2018) [DarkGate](https://attack.mitre.org/software/S1111) uses Windows Batch scripts executing the curl command to retrieve follow-on payloads.(Citation: Trellix Darkgate 2023) [DarkGate](https://attack.mitre.org/software/S1111) has stolen `sitemanager.xml` and `recentservers.xml` from `%APPDATA%\\FileZilla\\` if present.(Citation: Rapid7 BlackBasta 2024) ", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1490", "comment": "[DarkGate](https://attack.mitre.org/software/S1111) can delete system restore points through the command cmd.exe /c vssadmin delete shadows /for=c: /all /quiet\u201d.(Citation: Ensilo Darkgate 2018)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1056", "showSubtechniques": true}, {"techniqueID": "T1056.001", "comment": "[DarkGate](https://attack.mitre.org/software/S1111) will spawn a thread on execution to capture all keyboard events and write them to a predefined log file.(Citation: Ensilo Darkgate 2018)(Citation: Rapid7 BlackBasta 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1036", "comment": "[DarkGate](https://attack.mitre.org/software/S1111) can masquerade as pirated media content for initial delivery to victims.(Citation: Ensilo Darkgate 2018)", "score": 1, "showSubtechniques": true}, {"techniqueID": "T1036.003", "comment": "[DarkGate](https://attack.mitre.org/software/S1111) executes a Windows Batch script during installation that creases a randomly-named directory in the C:\\\\ root directory that copies and renames the legitimate Windows curl command to this new location.(Citation: Trellix Darkgate 2023)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1036.007", "comment": "[DarkGate](https://attack.mitre.org/software/S1111) masquerades malicious LNK files as PDF objects using the double extension .pdf.lnk.(Citation: Trellix Darkgate 2023)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1106", "comment": "[DarkGate](https://attack.mitre.org/software/S1111) uses the native Windows API CallWindowProc() to decode and launch encoded shellcode payloads during execution.(Citation: Trellix Darkgate 2023) [DarkGate](https://attack.mitre.org/software/S1111) can call kernel mode functions directly to hide the use of process hollowing methods during execution.(Citation: Ensilo Darkgate 2018) [DarkGate](https://attack.mitre.org/software/S1111) has also used the `CreateToolhelp32Snapshot`, `GetFileAttributesA` and `CreateProcessA` functions to obtain a list of running processes, to check for security products and to execute its malware.(Citation: Rapid7 BlackBasta 2024) ", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1027", "comment": "[DarkGate](https://attack.mitre.org/software/S1111) uses a hard-coded string as a seed, along with the victim machine hardware identifier and input text, to generate a unique string used as an internal mutex value to evade static detection based on mutexes.(Citation: Trellix Darkgate 2023)", "score": 1, "showSubtechniques": true}, {"techniqueID": "T1027.013", "comment": "[DarkGate](https://attack.mitre.org/software/S1111) drops an encrypted PE file, pe.bin, and decrypts it during installation.(Citation: Ensilo Darkgate 2018) [DarkGate](https://attack.mitre.org/software/S1111) also uses custom base64 encoding schemas in later variations to obfuscate payloads.(Citation: Trellix Darkgate 2023)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1566", "showSubtechniques": true}, {"techniqueID": "T1566.001", "comment": "[DarkGate](https://attack.mitre.org/software/S1111) can be distributed through emails with malicious attachments from a spoofed email address.(Citation: Ensilo Darkgate 2018)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1566.002", "comment": "[DarkGate](https://attack.mitre.org/software/S1111) is distributed in phishing emails containing links to distribute malicious VBS or MSI files.(Citation: Trellix Darkgate 2023) [DarkGate](https://attack.mitre.org/software/S1111) uses applications such as Microsoft Teams for distributing links to payloads.(Citation: Trellix Darkgate 2023)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1057", "comment": "[DarkGate](https://attack.mitre.org/software/S1111) performs various checks for running processes, including security software by looking for hard-coded process name values.(Citation: Ensilo Darkgate 2018)(Citation: Rapid7 BlackBasta 2024) ", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1055", "showSubtechniques": true}, {"techniqueID": "T1055.012", "comment": "[DarkGate](https://attack.mitre.org/software/S1111) leverages process hollowing techniques to evade detection, such as decrypting the content of an encrypted PE file and injecting it into the process vbc.exe.(Citation: Ensilo Darkgate 2018)(Citation: Rapid7 BlackBasta 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1496", "showSubtechniques": true}, {"techniqueID": "T1496.001", "comment": "[DarkGate](https://attack.mitre.org/software/S1111) can deploy follow-on cryptocurrency mining payloads.(Citation: Ensilo Darkgate 2018)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1518", "showSubtechniques": true}, {"techniqueID": "T1518.001", "comment": "[DarkGate](https://attack.mitre.org/software/S1111) looks for various security products by process name using hard-coded values in the malware.(Citation: Rapid7 BlackBasta 2024) [DarkGate](https://attack.mitre.org/software/S1111) will not execute its keylogging thread if a process name associated with Trend Micro anti-virus is identified, or if runtime checks identify the presence of Kaspersky anti-virus. [DarkGate](https://attack.mitre.org/software/S1111) will initiate a new thread if certain security products are identified on the victim, and recreate any malicious files associated with it if it determines they were removed by security software in a new system location.(Citation: Ensilo Darkgate 2018)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1539", "comment": "[DarkGate](https://attack.mitre.org/software/S1111) attempts to steal Opera cookies, if present, after terminating the related process.(Citation: Rapid7 BlackBasta 2024)  ", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1082", "comment": "[DarkGate](https://attack.mitre.org/software/S1111) uses the Delphi methods Sysutils::DiskSize and GlobalMemoryStatusEx to collect disk size and physical memory as part of the malware's anti-analysis checks for running in a virtualized environment.(Citation: Ensilo Darkgate 2018) [DarkGate](https://attack.mitre.org/software/S1111) will gather various system information such as domain, display adapter description, operating system type and version, processor type, and RAM amount.(Citation: Ensilo Darkgate 2018)(Citation: Rapid7 BlackBasta 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1614", "comment": "[DarkGate](https://attack.mitre.org/software/S1111) queries system locale information during execution.(Citation: Ensilo Darkgate 2018) Later versions of [DarkGate](https://attack.mitre.org/software/S1111) query GetSystemDefaultLCID for locale information to determine if the malware is executing in Russian-speaking countries.(Citation: Trellix Darkgate 2023)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1569", "showSubtechniques": true}, {"techniqueID": "T1569.002", "comment": "[DarkGate](https://attack.mitre.org/software/S1111) tries to elevate privileges to SYSTEM using PsExec to locally execute as a service, such as cmd /c c:\\temp\\PsExec.exe -accepteula -j -d -s [Target Binary].(Citation: Trellix Darkgate 2023)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1529", "comment": "[DarkGate](https://attack.mitre.org/software/S1111) has used the `shutdown`command to shut down and/or restart the victim system.(Citation: Rapid7 BlackBasta 2024) ", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1124", "comment": "[DarkGate](https://attack.mitre.org/software/S1111) creates a log file for capturing keylogging, clipboard, and related data using the victim host's current date for the filename.(Citation: Ensilo Darkgate 2018) [DarkGate](https://attack.mitre.org/software/S1111) queries victim system epoch time during execution.(Citation: Ensilo Darkgate 2018) [DarkGate](https://attack.mitre.org/software/S1111) captures system time information as part of automated profiling on initial installation.(Citation: Trellix Darkgate 2023)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1552", "comment": "[DarkGate](https://attack.mitre.org/software/S1111) uses NirSoft tools to steal user credentials from the infected machine.(Citation: Ensilo Darkgate 2018) NirSoft tools are executed via process hollowing in a newly-created instance of vbc.exe or regasm.exe.", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1204", "showSubtechniques": true}, {"techniqueID": "T1204.002", "comment": "[DarkGate](https://attack.mitre.org/software/S1111) initial infection payloads can masquerade as pirated media content requiring user interaction for code execution.(Citation: Ensilo Darkgate 2018) [DarkGate](https://attack.mitre.org/software/S1111) is distributed through phishing links to VBS or MSI objects requiring user interaction for execution.(Citation: Trellix Darkgate 2023)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1497", "showSubtechniques": true}, {"techniqueID": "T1497.001", "comment": "[DarkGate](https://attack.mitre.org/software/S1111) queries system resources on an infected machine to identify if it is executing in a sandbox or virtualized environment.(Citation: Ensilo Darkgate 2018)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1047", "comment": "[DarkGate](https://attack.mitre.org/software/S1111) has used WMI to execute files over the network and to obtain information about the domain.(Citation: Rapid7 BlackBasta 2024) ", "score": 1, "color": "#66b1ff", "showSubtechniques": false}], "gradient": {"colors": ["#ffffff", "#66b1ff"], "minValue": 0, "maxValue": 1}, "legendItems": [{"label": "used by DarkGate", "color": "#66b1ff"}]}