Security News > 2024 > July > DarkGate Malware Exploits Samba File Shares in Short-Lived Campaign
Cybersecurity researchers have shed light on a short-lived DarkGate malware campaign that leveraged Samba file shares to initiate the infections.
Palo Alto Networks Unit 42 said the activity spanned the months of March and April 2024, with the infection chains using servers running public-facing Samba file shares hosting Visual Basic Script and JavaScript files.
The campaign documented by Unit 42 commences with Microsoft Excel files that, when opened, urge targets to click on an embedded Open button, which, in turn, fetches and runs VBS code hosted on a Samba file share.
The PowerShell script is configured to retrieve and execute a PowerShell script, which is then used to download an AutoHotKey-based DarkGate package.
DarkGate works by scanning for various anti-malware programs and checking the CPU information to determine if it's running on a physical host or a virtual environment, thereby allowing it to hinder analysis.
"As DarkGate continues to evolve and refine its methods of infiltration and resistance to analysis, it remains a potent reminder of the need for robust and proactive cybersecurity defenses."
News URL
https://thehackernews.com/2024/07/darkgate-malware-exploits-samba-file.html
Related news
- North Korean ScarCruft Exploits Windows Zero-Day to Spread RokRAT Malware (source)
- macOS HM Surf vuln might already be under exploit by major malware family (source)
- VEILDrive Attack Exploits Microsoft Services to Evade Detection and Distribute Malware (source)
- SteelFox and Rhadamanthys Malware Use Copyright Scams, Driver Exploits to Target Victims (source)
- Cybercriminals Use Excel Exploit to Spread Fileless Remcos RAT Malware (source)
- Russian Hackers Exploit New NTLM Flaw to Deploy RAT Malware via Phishing Emails (source)
- Botnet exploits GeoVision zero-day to install Mirai malware (source)