
DarkGate Malware Exploits Social Engineering to Bypass Security | Image Source: www.trendmicro.com
CALIFORNIA, 16 June 2024 – Recent research on the trend micro cybersecurity company revealed a sophisticated social genius attack involving DarkGate malware. The attack was orchestrated by e-mail floods, imitations and remote desktop tools to obtain unauthorized access to computer systems. The case sheds light on the growing threat posed by advanced malware techniques that manipulate users by psychological tactics.
According to Trend Micro, the attack began with a social engineering plan where a victim was bombarded with thousands of emails. Shortly thereafter, the victim received a call through Microsoft Teams from a person claiming to be employed by an external supplier. The purpose of this imitation was to build confidence and convince the objective of following specific instructions under the pretext of computer support. According to the report, the attacker ordered the victim to download a Microsoft Remote Support app. However, when the installation of Microsoft Store failed, the attacker suggested downloading AnyDesk, a legitimate remote desktop application, from its official website.
Initial access by personification and AnyDesk
The aggressor’s instructions exploited the victim’s confidence in computer processes. The victim, manipulated to believe the application was legitimate, downloaded AnyDesk via a browser. AnyDesk, a widely used tool for remote access to the office, has served as a critical element for unauthorized control of the system. In order to move forward, the victim was ordered to present his proof of identity, granting him remote access.
This method highlights a technique already documented in a Microsoft blog, where the imitation of computer support and the use of email floods are combined to avoid user scepticism. As Trend Micro has pointed out, this double-layer strategy – by dragging victims with emails followed by a convincing imitation – makes the attack more credible and difficult to detect. The use of the trusted platform attacker like Microsoft Teams and AnyDesk further reduced suspicion among the selected individuals.
Implementation and operation of ComandoLine
Once AnyDesk was installed, its execution was observed a few seconds after the download. The command used to execute AnyDesk was:
“C:\ Users\\ Discharges\\ AnyDesk.exe” -local service
By running the remote desktop application as a local service, the attacker said that AnyDesk worked with high privileges. This allowed malware to function in a reduced or automated state, effectively eliminating user interference.
Minutes after AnyDesk was executed, the attack started other commands using cmd.exe to run rundl32.exe, a native Windows utility, to load a malicious file called SafeStore.dll. Trend Micro telemetry confirms that the following command was invoked:
“C:\ Windows\ System32\ cmd.exe”
followed by:
rundl32.exe SafeStore.dll, epaas _ request _ clone
Using rundl32.exe, the attacker was able to load and run the SafeStore.dll file discreetly. This process highlights the use of trusted system tools for malicious purposes, a common tactic used in modern malware campaigns to escape detection by security software.
Consequences of the DarkGate Malware Campaign
The successful execution of DarkGate malware demonstrates the evolution of the sophistication of cyberattack that combines social engineering with advanced malware techniques. According to Trend Micro, attackers are increasingly dependent on legitimate tools like AnyDesk and Microsoft Teams to camouflage their malicious intent. These widely recognized and reliable tools make it more difficult for victims and even security solutions to detect malicious behaviour.
In addition, the use of e-mail floods as a precursor to the attack creates a sense of urgency and confusion for the victim. This email overload not only distracts the target, but also serves as a starting point for a convincing tracking call. Once confidence is established, victims are more likely to comply with instructions than to appear suspicious.
As Trend Micro says, “the combination of social engineering, the flood of email and reliable remote office tools shows how attackers can exploit human behavior to avoid technical defenses. Organizations should adopt a multifaceted approach to security to effectively mitigate these threats. »
Defence against social engineering Attacks
The case of DarkGate malware underscores the importance of employee awareness and robust cybersecurity measures to combat social engineering attacks. Organizations are advised to train their employees to recognize signs of phishing, imitation and other manipulation tactics. According to Trend Micro, the following measures can help mitigate similar attacks:
- Implementing advanced email filtering to block mass spam campaigns and suspicious messages.
- Educating employees about social engineering techniques, including impersonation calls and IT support scams.
- Monitoring the use of remote desktop tools like AnyDesk and restricting their installation to authorized personnel.
- Deploying endpoint detection and response (EDR) solutions to identify unusual command-line activities.
In addition, organizations should implement strict policies on reliable management and multifactor authentication (MFA) to prevent unauthorized access. According to Trend Micro’s analysis, proactive measures and user monitoring are essential to mitigate the risks posed by these sophisticated campaigns.
The report also stresses that aggressors continue to improve their methods, and it is therefore essential that companies keep up-to-date information on new threats. Collaboration with cybersecurity companies and investment in advanced detection technologies can significantly improve an organization’s ability to defend itself against evolving malware campaigns like DarkGate.
While reliable tools like AnyDesk provide legitimate features, they can be armed when users are abused. Companies need to balance the benefits of these tools with robust access control policies to ensure security.
In conclusion, DarkGate malware attack serves as a reminder of the dangers posed by advanced social engineering and malware. By combining trust platforms, e-mail floods and identity fraud techniques, attackers find new ways to avoid traditional security defenses. Organizations should prioritize cyber security awareness, employee training and advanced detection solutions to effectively defend themselves against these changing threats.