Samba file shares leveraged to facilitate DarkGate malware delivery.
Europe and portions of Asia have been subjected to an attack campaign distributing the DarkGate malware-as-a-service payload through the exploitation of Samba file shares.
According to The Hacker News, malicious Microsoft Excel files have been used by threat actors to facilitate the execution of a Samba file share-hosted VBS code, which enables the retrieval of a PowerShell script and other files, analysis from Palo Alto Networks Unit 42 revealed.
The PowerShell script triggers another PowerShell script that enables the installation of an AutoHotKey package for DarkGate before eventually deploying the malware, which proceeds with security software scanning and CPU data monitoring before conducting data exfiltration to a connected command-and-control server.
Researchers said: "As DarkGate continues to evolve and refine its methods of infiltration and resistance to analysis, it remains a potent reminder of the need for robust and proactive cybersecurity defenses.”
Written by
Dan Raywood
Senior Editor
SC Media UK
Dan Raywood is a B2B journalist with more than 20 years of experience, including covering cybersecurity for the past 16 years. He has extensively covered topics from Advanced Persistent Threats and nation-state hackers to major data breaches and regulatory changes.
He has spoken at events including 44CON, Infosecurity Europe, RANT Conference, BSides Scotland, Steelcon and ESET Security Days.
Outside work, Dan enjoys supporting Tottenham Hotspur, managing mischievous cats, and sampling craft beers.
