Date: 08/21/2024
Severity: Medium
Summary
Detects the use of curl.exe, KeyScramblerLogon, or other unusual/suspicious processes involved in creating Autoit3.exe. This behavior is linked to DarkGate malware, which employs Autoit3.exe to run shellcode for process injection and to connect with the DarkGate command-and-control server. The use of curl, KeyScramblerLogon, and similar processes are considered non-standard and suspicious methods for acquiring the Autoit3 executable.
Indicators of Compromise (IOC) List
Image | '\Autoit3.exe' '\curl.exe' '\ExtExport.exe' '\KeyScramblerLogon.exe' '\wmprph.exe' |
TargetFilename | '\Autoit3.exe' |
Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection
Detection Query 1 | ((Resourcename in ("Sysmon") AND eventtype = "11") AND image in ("\\Autoit3.exe" , "\\curl.exe" , "\\ExtExport.exe" , "\\KeyScramblerLogon.exe" , "\\wmprph.exe")) AND targetfilename = "\\Autoit3.exe" |
Detection Query 2 | ((Technologygroup in ("EDR") AND eventtype = "11") AND image in ("\\Autoit3.exe" , "\\curl.exe" , "\\ExtExport.exe" , "\\KeyScramblerLogon.exe" , "\\wmprph.exe")) AND targetfilename = "\\Autoit3.exe" |
Reference:
https://github.com/SigmaHQ/sigma/blob/master/rules-emerging-threats/2023/Malware/DarkGate/file_event_win_malware_darkgate_autoit3_binary_creation.yml
https://github.security.telekom.com/2023/08/darkgate-loader.html
https://www.kroll.com/en/insights/publications/cyber/microsoft-teams-used-as-initial-access-for-darkgate-malware
https://github.com/pr0xylife/DarkGate/tree/main