Cyber attacks implicating the DarkGate malware-as-a-service (MaaS) operation have moved away from AutoIt scripts to an AutoHotkey instrument to deliver the last scenes, highlighting resumed on the part of the threat actors to constantly remain forward of the detection angle. The updates have been marked in version 6 of DarkGate dismissed in March 2024 by its creator RastaFarEye, who has been marketing the program on a subscription basis to as many as 30 clients. The malware has been active since at least 2018.

A fully-featured remote access trojan (RAT), DarkGate is provided with command-and-control (C2) and rootkit abilities and includes different modules for the credential heist, keylogging, screen grabbing, and remote desktop.

"DarkGate campaigns manage to adjust fast, modifying various features to attempt to remain off protection resolutions," Trellix safety investigator Ernesto Fernández Provecho stated in a Monday study. "This is the foremost time we see DarkGate employing AutoHotKey, a not-so-common scripting interpreter, to establish DarkGate." It's worth mentioning that DarkGate's control of AutoHotKey was rather reported by McAfee Labs in late April 2024, with attack chains leveraging safety defects such as CVE-2023-36025 and CVE-2024-21412 to avoid Microsoft Defender SmartScreen protections operating a Microsoft Excel or HTML extension in phishing emails.

Alternate techniques have been discovered to leverage Excel files with entrenched macros as a line to conduct a Visual Basic Script file that's liable for gathering PowerShell commands to ultimately establish an AutoHotKey script, which, in turn, retrieves and decodes the DarkGate payload from a text file. The latest version of DarkGate packs in significant advancements to its composition, evasion strategies, and list of funded orders, which now contains audio recording, mouse control, and keyboard control elements.

"Version 6 not only contains new powers, but also lacks some of them from earlier versions, like the privilege escalation, the cryptomining, or the hVNC (Hidden Virtual Network Computing) ones," Fernández Provecho stated, adding it may be an effort to cut out elements that could enable detection. "Moreover, since DarkGate is sold to a smallish group of individuals, it is also likely that the clients were not curious about those elements, forcing RastaFarEye to dismiss them."

The exposure comes as cyber criminals have been found manipulating Docusign by trading legitimate-looking customizable phishing templates on confidential meetings, turning the service into a fruitful ground for phishers looking to rob credentials for phishing and company email compromise (BEC) scams. "These dishonest emails, meticulously developed to spoof legitimate document signing demands, attract unsuspecting recipients into connecting malicious connections or disclosing susceptible data," Abnormal Security stated.