DarkGate, SolarMarker, and Malicious PowerShell Commands

DarkGate Incident Timeline for April 04, 2024

• Blackpoint’s MDR alerted to a possible DarkGate malware attack stemming from a malicious PDF file attachment within a phishing email.
• An MDR analyst began initial triage and investigation, and discovered the malicious file initiated AutoIt (to run malicious scripts), Advanced IP Scanner (to perform enumeration), Adobe injection (to communicate with its malicious external command and control [C2] server), and a startup task for attempted persistence.
• The analyst escalated the incident to senior SOC leadership.
• The senior MDR analyst isolated the impacted endpoint to prevent lateral spread and external communication with C2 server, which was not successful.
• The SOC made contact with the partner about the incident and provided additional remediation advice.

More About DarkGate

DarkGate malware is a Malware-as-a-Service (MaaS) that has been sold on cybercriminal marketplaces since 2017. The malware allows attackers to conduct a number of malicious activities, including keylogging, information theft, privilege escalation, remote access tools (RATs) for persistence, and cryptocurrency mining (1).

DarkGate malware is offered through a subscription-based model with a one-day package for $1000, a monthly package for $15,000, and a one-year package for $100,000. DarkGate malware has previously used various initial access methods, including social engineering, malvertising, and vulnerability exploitation (2).

APG Threat Analysis of DarkGate for 2024

The APG predicts that threat actors will likely continue to use DarkGate over the next 12 months.

We base this assessment on our observations of recent threat use and accelerated dark web sales of the malware.

For example, this year (2024), security researchers with Trend Micro reported a DarkGate campaign exploiting the vulnerability CVE-2024-21412 (CVSS Score 8.1)–a security feature bypass vulnerability affecting Microsoft Windows Internet Shortcut Files (3). The campaign included the use of a phishing email with a malicious attachment that, when executed, deployed the DarkGate malware.

Recommended DarkGate Mitigations and Remediations

The APG recommends the following actions to help mitigate the deployment of the DarkGate malware.

• Conduct employee security awareness training to ensure employees are aware of what basic phishing emails look like, and are more cautious about opening email attachments.
• Implement a proactive, risk-based patch management program to ensure that known exploited vulnerabilities (such as CVE-2024-21412) are patched in a timely manner to prevent use by threat actors.
• Ensure employees are using MFA and VPNs to access sensitive data and resources, providing an additional level of credential authentication even if a threat actor should compromise an individual account.

SolarMarker Incident Timeline for April 5, 2024

• The Blackpoint SOC received an onboarding ticket request for a new healthcare partner.
• The SOC began the onboarding process for the new partner, and our MDR immediately alerted to pre-existing malicious activity on the host endpoint: malicious PowerShell scripts tied to SolarMarker malware. The scripts created several variables to call on for a persistence payload disguised as a shortcut (lnk file) in the compromised user’s startup folder.
• An MDR analyst escalated the incident to senior SOC leadership. A senior MDR analyst observed the PowerShell script, noting that its outbound connections led to an IP address geolocated to Denmark. The script itself was heavily obfuscated to bypass antivirus (AV) detections and employed a fileless persistence technique by creating a registry key in the user’s registry hive.
• The senior MDR analyst isolated the impacted endpoints from all external and internal communications.
• The SOC made contact with the partner about the incident and provided additional remediation advice.

More About SolarMarker

Active since 2021, SolarMarker is a malware variant written in .NET that possesses a backdoor and information stealing capability (4). SolarMarker encrypts its traffic to C2 servers using hard-coded RSA key and a symmetric AES CBC algorithm; data is often exfiltrated in a JSON format to the server.

SolarMarker has previously collected information about the infected system (4), including:

• Machine name,
• OS version,
• System architecture (x64 or x86),
• User rights (admin or users),
• Workgroup,
• DNS, and
• Protocol version.

APG Threat Analysis of SolarMarker for 2024

The APG predicts that threat actors will almost certainly continue to use SolarMarker and other information stealing malware over the next 12 months.

We base this assessment on observed attempted attacks in Blackpoint SOC protected environments, as well as third-party research observations.

In 2024, security researchers with Malwarebytes reported a cyberattack involving SolarMarker malware targeting an academic institution; the malware had been present on the system since 2021 (5). This activity was reportedly identified due to PowerShell attempting to establish a network connection to an IP address in France – a similar tactic the Blackpoint SOC observed in this week’s specific incident.

In fact, SolarMarker has increasingly become a reliable information stealing malware for threat actors. Critical verticals, such as Academics and Healthcare, remain an attractive target to threat actors – both advanced persistent threat (APT) and cybercriminal – due to:

• The vast amount of personal information that can be sold to other threat actors,
• The ability to sell access to other criminal groups, such as ransomware operators, and
• The impact these attacks can have on an organization.

Recommended SolarMarker Mitigations and Remediations

The APG recommends the following actions to help mitigate the SolarMarker malware:

• Implement least privilege access controls, to help ensure that users only have access to the data and resources required to complete their job functions in the event of a compromised credential or account.
• Implement behavioral monitoring

These actions will help you detect unusual patterns that could be indicative of malicious behavior by threat actors. In this case, traditional EDRs and AVs may have been unable to detect this SolarMarker infection, as it had explicitly designed scripts for persistence and obfuscation against AVs prior to onboarding. However, with the installation of malicious-activity alerts and managed triage by the Blackpoint SOC, the infected device was identified and isolated almost immediately. In addition, you should…

• Encourage the use of secure password managers, versus browser-based password storage that can be accessed by information stealing malware such as SolarMarker.

LogConverter.bat Incident Timeline for April 8, 2024

• Blackpoint’s MDR alerted to a suspicious PowerShell command on the domain controller of a real estate partner.
• An MDR analyst began initial triage and investigation. They found that the PowerShell command was heavily obfuscated, spawning from a batch script called “LogCoverter[.]bat”.
• The analyst isolated the impacted endpoints from all external and internal communications.
• The SOC made contact with the partner about the incident and provided additional remediation advice.

More About Malicious PowerShell Commands

PowerShell is a task automation and configuration management program from Microsoft. PowerShell uses a fileless approach that executes commands and scripts in memory, which can make it harder to detect.

Threat actors often leverage PowerShell (6). In fact, all 36 ransomware groups currently tracked by the APG have previously been observed using PowerShell, as well as multiple APT groups.

APG Threat Analysis of Malicious PowerShell Commands for 2024

The APG predicts that threat actors will almost certainly continue to use malicous PowerShell commands over the next 12 months to deploy malware, attempt persistance, and other malicious activities in victim environments.

We base this assessment on our current SOC activity analysis, as well as recent external research.

In December 2023, for example, security researchers with ConnectWise reported that a former DarkSide ransomware affiliate was observed delivering trojanized installers via malvertising (7). In this incident, extracted files from the 7zip archive were moved to a file named “LogConverter[.]bat”.

(Note that while this specific incident interrupted by the SOC has not been officially attributed to any specific threat group or malware, threat actors often reuse similar file names in multiple attacks.)

Recommended Malicous PowerShell Command Mitigations and Remediations

The APG recommends the following actions to help mitigate malicious PowerShell commands:

• Implement malicious behavioral monitoring on managed environments to detect unusual patterns that could be indicative of threat actor activities.
• Use network segmentation to ensure critical systems are isolated from less secure areas and prevent unauthorized communication restrictions between segments.
• Implement least privilege access controls, to help ensure that users only have access to the data and resources required to complete their job functions – similar to the earlier SolarMarker incident we analyzed for this week.