EnSilo security researchers have found a new form of malware that can bypass antivirus programs. The malware used in the DarkGate campaign is used to steal cryptographic currency.

According to the researchers, DarkGate is now widely used in Spain and France, where it focuses on Windows computers via torrent files. Torrent files are not illegal even though they are associated with illegal content, and are used by consumers and businesses to share large files. In this case, the infected files pose as illegal versions of popular TV series and movies, such as The Walking Dead.

Blackout

The malware uses various blackout techniques to bypass traditional antivirus solutions. For example, the command-and-control (C2) structure – which allows remote operators to send commands and the malware to send stolen data – is concealed in DNS records of legitimate services, such as Akamai CDN and AWS. That’s why it’s going through a reputation check.

In addition, DarkGate uses vendor-based controls and actions, including a method called “process hollowing” to prevent detection by antivirus software. This technique requires legitimate software to be loaded into a suspended state. In this way, it should behave like a container for rogue processes, which can be carried out within the reliable program.

DarkGate also carries out a number of checks to find out whether it ended up in a sandbox. A sandbox is used by security researchers to extract and analyse malicious software. It also scans for common antivirus programs such as Avast, Bitdefender, Trend Micro and Kaspersky. To prevent important files from being deleted, it uses recovery tools.

Crypt Currency

When DarkGate runs, it gives it system privileges and downloads and runs a range of additional malware. It can then set credentials associated with the victim’s cryptographic currency wallets, execute ransomware payloads, create a remote access tunnel for hackers to take over the system, and implement cryptographic currency mining operations.

This news article was automatically translated from Dutch to give Techzine.eu a head start. All news articles after September 1, 2019 are written in native English and NOT translated. All our background stories are written in native English as well. For more information read our launch article.