Mitigation Lessons from 598 Incident Responses: DarkGate Malware, LotL Techniques, and Rclone Attacks 

Between October 02-09, 2024, Blackpoint’s Security Operations Center (SOC) responded to 598 total incidents across on-premises, Microsoft 365, and Google Workspace protected environments. These incidents involved confirmed or likely threat actor use of:

• DarkGate malware for remote access and data exfiltration.
• Living off the Land techniques for potential data exfiltration.
• Rclone for data exfiltration.

In this blog, we’ll dive into the details of three select incidents, why they matter for our partners, and possible mitigations using your existing tech stack alongside Blackpoint Cyber’s managed services.

Topline Takeaways

• Industry target: Professional & Commercial Services
• Attacker methods:
  • Autoit
  • DarkGate Malware
• Recommended mitigations:
  • Enforce multi-factor authentication (MFA) on all user accounts.
  • Employee security training.
  • Regularly audit both the environment and endpoints.

Incident Timeline for 2024-10-03

Blackpoint’s MDR technology alerted our Active SOC to the use of “Autoit3.exe” on the host of a professional & commercial services partner. Initial investigation revealed that the detection appeared to be a DarkGate malware infection; the file was located in a directory that is commonly abused by threat actors as it is hidden by default “C:\ProgramData\”.

Further analysis revealed that Autoit3.exe spawned an executable called cmd.exe, which appeared to be legitimate command prompt. However, the executable was observed making outbound connections with the default gateway IP address, 192.168.4[.]1. Blackpoint’s SOC analysts isolated the impacted machine and contacted the partner to inform them of the detection and isolation.

More About DarkGate Malware

DarkGate malware is a malware-as-a-service (MaaS) that has been sold on cybercriminal marketplaces since at least 2017. The malware allows attackers to conduct malicious activities such as keylogging, information theft, privilege escalation, remote access, and deploying additional malware payloads.

Threat actors likely find this an attractive option for malware due to the multiple uses the tool has for data exfiltration, acting as an initial access broker (IAB) for threat groups to deploy additional malware, such as ransomware, and it has automatic connectivity to remote control servers.

APG Threat Analysis for DarkGate Malware

Blackpoint’s Adversary Pursuit Group (APG) predicts the continued use of malware, like DarkGate malware, for persistence and collection is likely over the next 12 months, as observed in similar incidents involving our partners in Consumer Cyclicals on April 12, 2024. External reports further reinforce this trend, with threat actors like TA571 leveraging DarkGate malware as an IAB for a recently reported attack.

Mitigations

• MFA on All Accounts: Enforcing MFA can prevent attackers from exploiting compromised credentials.
• Create and implement employee security training: DarkGate is often delivered via social engineering attacks; employees should be aware of how to identify potential social engineering tactics; how and when to report to an incident response authority.
• Regularly audit both environment and endpoints to help identify anomalous activity in an environment.

Topline Takeaways

• Industry target: Technology
• Attacker methods:
  • WinSCP
  • wget
  • SSH-RSA key
• Recommended mitigations:
  • Employ least-privilege access controls.
  • Implement application controls.
  • Minimize the use of scripting languages.

Incident Timeline for 2024-10-06

Blackpoint’s MDR technology alerted to suspicious PowerShell activity on the host of a Technology partner. Initial investigation, the PowerShell execution utilized wget to call out to an external URL to grab a zip file called “current-zip” and placed the file on the server in the temp folder, naming it “dir.txt”.

Further analysis showed the activity was spawned from sqlservr.exe, which was used to spawn a command prompt (CMD); the user account was then observed deleting logs as well as spawning WinSCP to open SFTP to make connections with an external domain. The user account was then observed using an SSH-RSA key to transfer logs. Outbound connections were observed with WinSCP connecting with a US IP indicating data exfiltration was happening.

Blackpoint’s SOC isolated the impacted servers and killed the sqlservr.exe process running on all servers. Blackpoint’s SOC then reached out to the customer to inform them of the alerts and isolation.

More About Living off the Land (LotL) Techniques

Living off the Land (LotL) techniques refers to threat actors’ behavior of using tools or features that already exist on the targeted environment. Utilizing wget and WinSCP that are likely already present on the system can aid in remaining undetected while conducting malicious activities.

One of the best examples of LotL is threat actors’ use of PowerShell. Threat actors are likely attracted to the LotL techniques for multiple reasons, which include:

• More likelihood of remaining undetected, and
• Ability to access powerful tools to conduct malicious activities without having to download, create, or maintain their own tooling.

APG Threat Analysis for LotL Techniques

Threat actors will almost certainly continue to leverage LotL techniques for data gathering, persistence, and defense evasion over the next 12 months. An incident involving a Real Estate partner in August 2024 and U.S. CISA advisory from February 2024 underscore this technique’s prevalence throughout the landscape.

Mitigations

• Employ least-privilege access controls to ensure that users only have access to the data and resources required to complete their job functions, making it more difficult for threat actors to conduct malicious activities without detection.
• Implement application controls, including blocklists and allowlists, to help manage and control software installation by end users to only approved and vetted applications.
• Minimize the use of – or implement strict controls on – the use of scripting languages, as threat actors rely on scripting languages to deploy malware and conduct malicious activities.

Topline Takeaways

• Industry target: Institutions & Organizations
• Attacker methods: Rclone
• Recommended mitigations:
  • Implement application controls.
  • Provide a dedicated software center.

Incident Timeline for 2024-10-07

Blackpoint’s MDR technology alerted to Rclone execution from the host of an Institutions & Organizations partner. Initial investigation revealed Rclone copying many shared directories and copying to multiple Google Cloud IP addresses. Blackpoint’s Active SOC contacted the partner to inform them of the incident and isolated the impacted host.

More About Rclone

Rclone is an open-source command-line program to manage files on cloud storage and is supported by over 70 cloud storage products. Rclone has been abused by threat actors to exfiltrate sensitive data to cloud storage providers; the data can then be sold, the threat actor can then deploy ransomware, and more.

Threat actors are likely attracted to tools like Rclone due to its compatibility with multiple cloud storage services; ability to automate its operation, and the ability to blend in with legitimate network traffic. Additionally, the use of a tool like Rclone allows a group to exfiltrate data without requiring the knowledge and resources to develop and maintain their own malware/tool.

APG Threat Analysis for Rclone

APG predicts it is likely that threat actors will continue to abuse legitimate tools, like Rclone, for data exfiltration over the next 12 months. APG has tracked at least 12 ransomware operations and 2 threat groups that have been reported to use Rclone during publicly reported incidents. APG’s assessment is supported by external reports of threat actors’ use of Rclone during reported incidents.

Mitigations

• Implement application controls, to help manage and control software installation by end users to only approved and vetted applications.
• Provide a dedicated software center to guarantee employees can easily access the applications and updates required for their jobs from a safe and monitored location.

These incidents underscore the evolving tactics of threat actors and highlight the importance of layered defenses. By leveraging Blackpoint’s MDR technology and following these mitigation strategies, you can bolster your organization’s defenses against these types of attacks. Reach out to Blackpoint’s SOC team for tailored recommendations on how to enhance your cybersecurity posture.