DarkGate Malware

 

 

Windows users in Europe have recently been the target of a sophisticated malware campaign that provides attackers with a diverse array of capabilities, including cryptomining, credential stealing, ransomware and remote-access takeovers.

Named DarkGate by its developer, the malware is reportedly distributed via Torrent files disguised as popular entertainment offerings — including the Spanish basketball dramedy Campeones and the zombie drama The Walking Dead. But these files actually execute malicious VBscripts on those who download them. Upon infection, the first malware’s interaction with the C2 server commences the mining process, but from there DarkGate has the potential to carry out additional attacks.

Aside from its versatility, DarkGate is also notable in that it practices the act of process hollowing — the act of loading a legitimate process onto a system in order to use it as a wrapper to conceal malicious code. DarkGate abuses the processes vbc.exe or regasm.exe for this purpose, the blog post explains.

Another of DarkGate’s remarkable traits is its human-powered, “reactive” C2 infrastructure, which is staffed by actual people. These operators “act upon receiving notifications of new infections with crypto wallets,” reported blog post authors Zeligson and fellow researcher Rotem Kerner. Additionally, “When the operator detects any interesting activity… they then proceed to install a custom remote access tool on the [infected] machine for manual operations.”

Source: SCMagazine

How do you protect yourself?

Proper security measures must be in place to defend against DarkGate malware and similar threats. Make sure you only download legitimate apps from the app store and do not click on suspicious links. Having proper up-to-date endpoint and firewall security provides a cross-generational blend of threat defense techniques to protect systems from malware.

 

CVE-2018-15979

 

 

Adobe has released security updates for Adobe Acrobat and Reader for Windows to resolve an important vulnerability. Successful exploitation could lead to an inadvertent leak of the user’s hashed NTLM password.

Source: Adobe

How do you protect yourself?

Adobe recommends users update their software installations to the latest versions by following the instructions below.’

 

Mylobot Botnet

 

 

Deep Instinct Ltd. blogged about a highly complicated botnet — dubbed Mylobot — that incorporates several new techniques, including improved evasion techniques and command-and-control (C&C) connections. Deep Instinct reported that the Mylobot botnet attack uses the dark web and C&C servers from other malware campaigns to establish its C&C connections.

The Mylobot malware differs from a typical botnet in terms of its use of code injection, process hollowing and reflective EXE. It also includes common malware functionality, such as anti-VM, anti-sandbox and anti-debugging techniques, including the use of an encrypted resource file. While code injection, process hollowing and reflective EXE are not new techniques, they are not typically seen in malware.

Mylobot also has the ability to delay contacting the C&C network for 14 days in order to minimize the chance that the download and execution on the endpoint will be correlated with the C&C connection.

Source: TechTarget

How do you protect yourself?

Proper security measures must be in place to defend against Mylobot Botnet and similar threats. Having proper up-to-date endpoint security provides a cross-generational blend of threat defense techniques to protect systems from cryptomining malware. Avoid clicking unknown links and downloading suspicious attachments.