1. Welcome Guest! In order to create a new topic or reply to an existing one, you must register first. It is easy and free. Click here to sign up now!.
    Dismiss Notice

Most antivirus programs fail to detect this cryptocurrency-stealing malware

Discussion in 'General Malware And Security' started by starbuck, Nov 17, 2018.

  1. starbuck

    starbuck Administrator - Malware Removal Specialist Administrator

    Sep 26, 2009
    Midlands, UK
    Operating System:
    Windows 10
    AMD Athlon II x2 250 Processor 3.00GHz
    8gb DDR3
    Hard Drive:
    500gb SATA
    Graphics Card:
    ASUS GeForce GTX 960 2gb
    Power Supply:
    650w PowerCool X-Viper
    Traditional antivirus software has a tough time detecting malware used in the campaign.


    A new, active campaign is using malware capable of dancing around traditional antivirus solutions in order to empty cryptocurrency wallets.

    The malware is being used in the DarkGate campaign, a previously undetected hacking operation uncovered this week by enSilo security researchers.

    According to the team, DarkGate is currently underway in Spain and France, targeting Microsoft Windows PCs by way of torrent files.

    Torrent files are most commonly associated with pirated content, but the technology itself is not illegal and can be used by consumers and businesses alike to share files of large sizes.
    In this case, however, the infected .torrent files masquerade as pirated versions of popular television shows and films including The Walking Dead.

    The DarkGate malware uses a variety of obfuscation techniques to circumvent traditional antivirus solutions.
    The malware's command-and-control (C2) structure, which allows operators to send commands remotely and for the malware to transfer stolen data, is cloaked in DNS records from legitimate services including Akamai CDN and AWS.

    By hiding the C2 under the skirts of reputable DNS services, this allows the malware to pass a reputation check when it comes to shady services or bulletproof hosting platforms which have become associated with malware and criminal campaigns.

    In addition, DarkGate uses vendor-based checks and actions, including a method known as "process hollowing" to avoid detection by AV software.
    This technique requires a legitimate software program to be loaded in a suspended state -- but only to act as a container for malicious processes which are then able to operate instead of the trustworthy program.

    DarkGate will also perform a number of checks in an attempt to ascertain whether or not it has landed in a sandbox environment -- used by researchers to analyze and unpack malicious software -- and will perform a scan for common AV systems, such as Avast, Bitdefender, Trend Micro, and Kaspersky.

    The malware also makes use of recovery tools to prevent files critical to its operation from being deleted.

    enSilo says that the malware author "invested significant time and effort into remaining undetected," and during testing, it was found that "most AV vendors failed to detect it."

    When executed, DarkGate implements two User Account Control (UAC) bypass techniques in order to gain system privileges, download, and execute a range of additional malware payloads.

    These packages give DarkGate the ability to steal credentials associated with a victim's cryptocurrency wallets, execute ransomware payloads, create a remote access tunnel for operators to hijack the system, and also implement covert cryptocurrency mining operations.

    According to enSilo, the C2 is overseen by human operators who act when they are alerted to new infections related to cryptocurrency wallets by installing the remote access tools necessary to compromise virtual coin funds.


Share This Page