DarkGate - Drop DarkGate Loader In C:\Temp Directory

    Tuesday, August 6, 2024 In: Threat Research Print

    Date: 08/06/2024

    Severity: Medium

    Summary

    Identifies attackers attempting to save, decrypt, and execute the DarkGate Loader in the C:\temp folder.

    Indicators of Compromise (IOC) List

    TargetFilename

    ':\temp\'

    '.au3'

    '\autoit3.exe'

    Image

    ':\temp\'

    '.au3'

    '\autoit3.exe'

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Detection Query 1

    ((resourceName = "Windows Security"  AND eventtype = "4688"  ) AND newprocessname = ":\temp"  ) AND processname in (".au3" , "\autoit3.exe")

    Detection Query 2

    (resourceName = "Sysmon"  AND imagepath = ":\temp"  ) AND image in (".au3" , "\autoit3.exe")

    Detection Query 3

    ((technologygroup = "EDR" AND eventtype = "4688"  ) AND newprocessname = ":\temp"  ) AND processname in (".au3" , "\autoit3.exe")

    Detection Query 4

    (technologygroup = "EDR"  AND imagepath = ":\temp"  ) AND image in (".au3" , "\autoit3.exe")

    Category: Sigma

    Reference:

    https://github.com/SigmaHQ/sigma/blob/master/rules-emerging-threats/2024/Malware/DarkGate/file_event_win_malware_darkgate_autoit3_save_temp.yml 

    https://www.bleepingcomputer.com/news/security/hackers-exploit-windows-smartscreen-flaw-to-drop-darkgate-malware/

    https://www.trendmicro.com/en_us/research/24/c/cve-2024-21412--darkgate-operators-exploit-microsoft-windows-sma.html

     

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2025 by Gurucul - All rights reserved.