THREAT ALERT: DarkGate Loader
The execution of DarkGate Loader ultimately leads to execution of post-exploitation tools such as Cobalt Strike and Meterpreter. This Threat Alert provides an overview of an attack involving DarkGate Loader.
Anthony M. Freed
There’s been record growth of ransomware attacks in 2021. A recent report documented 304.7 million attack attempts in the first six months of the year, as reported by Threatpost. That’s 100,000 more attempts than the total volume logged in all of 2020.
These ransomware attacks involved a variety of infection vectors. Even so, ransomware actors prefer some methods over others. Researchers found that unsecured Microsoft Remote Desktop Protocol (RDP) connections accounted for over half of all ransomware attacks, for instance. This was followed by email phishing at approximately a quarter of all ransomware infections, and the exploitation of software vulnerabilities at 12%. Let’s look at how each of these three delivery vectors lead to a ransomware attack.
A proprietary protocol developed by Microsoft, RDP enables users to remotely connect to other computers over a network connection. This protocol necessitates that both computers involved in the connection run RDP software. RDP typically “hears” that connection through defined listening ports such as TCP port 3389 and UDP port 3389, per Microsoft’s documentation.
The issue is when organizations leave their RDP ports exposed online. As noted by ZDNet, some digital crime groups specialize in scanning the web for these exposed ports. When they find them, they carry out brute-force attacks to gain access. They can then sell that access on dark web marketplaces, giving attackers like ransomware groups an opportunity through which they can establish a foothold in an organization’s network.
Ransomware is just one of the threat categories that’s commonly distributed by phishing emails. A typical attack attempt begins when a user receives a malicious email that instructs them to open a tainted file attachment. It can arrive as a PDF document, a ZIP archive, or a Microsoft Office file that tricks a recipient into enabling macros. An attacker can use any of those file formats to trick the recipient into running an executable file that downloads ransomware onto their machine.
Phishing emails don’t always use attachments to infect recipients with malware. They can also direct victims to click on a malicious link. If they do click, the campaign can redirect the recipient to a website containing fake software downloads or other ruses designed to distribute ransomware or exploit kits as their payload.
Let’s revisit the phishing scenario discussed above in which an attack email’s embedded link redirects a recipient to a website containing an exploit kit. A phishing email might be the initial attack vector in this case, but it’s not the ransomware payload’s delivery vector. The exploit kit functions as the delivery vector in that it evaluates the visitor’s web browser, operating system, and/or other software for vulnerabilities. If it detects a supported vulnerability, the exploit kit activates its exploit code and uses it to install ransomware on the victim’s machine.
This type of scenario is known as a “drive-by download.” Email attackers can set up their own websites to conduct a drive-by download, but in doing so, they need to use redirect chains, typo-squatting, and other evasive tactics so that email gateways won’t flag their embedded links outright. Alternatively, attackers can attempt to compromise a legitimate website and misuse its reputation to distribute malicious code.
Fortunately, organizations can take several steps to protect themselves against the ransomware delivery vectors discussed above. They can block RDP port 3389 if they don’t need to use it, for instance. If they need some systems to support RDP, they can put them behind a firewall and monitor them for potential signs of abuse.
As for phishing and drive-by downloads, organizations can conduct phishing simulations across their entire workforce on a regular basis and confirm that their vulnerability management programs cover the plugins and other software that help to power their websites.
Organizations can also focus on augmenting their security posture so that they can defend against ransomware and other threats. One of the ways they can do that is by implementing an anti-ransomware solution that leverages both Indicators of Compromise (IOCs) and Indicators of Behavior (IOBs), the more subtle attack activity that can reveal an attack earlier.
Such a tool allows organizations to visualize the entire story of a ransomware attack wherever it’s occurring in their environment, even an operation that’s not been detected elsewhere before, so that their security teams can quickly shut it down.
The best strategy for organizations is to prevent a ransomware attack from being successful in the first place. To do that, they need to invest in a multi-layered solution that leverages Indicators of Behavior (IOBs) to detect and prevent a ransomware attack at the earliest stages of initial ingress, prior to the exfiltration of sensitive data for double extortion, and long before the actual ransomware payload is delivered.
The Cybereason operation-centric approach provides the ability to detect RansomOps attacks earlier and why Cybereason is undefeated in the battle against ransomware with the best prevention, detection and response capabilities on the market.
Cybereason is dedicated to teaming with defenders to end cyber attacks from endpoints to the enterprise to everywhere - including modern ransomware attacks. Learn more about ransomware defense here or schedule a demo today to learn how your organization can benefit from an operation-centric approach to security.
Anthony M. Freed is the Senior Director of Corporate Communications for Cybereason and was formerly a security journalist who authored feature articles, interviews and investigative reports which have been sourced and cited by dozens of major media outlets. Anthony also previously worked as a consultant to senior members of product development, secondary and capital markets from the largest financial institutions in the country, and he had a front row seat to the bursting of the credit bubble.
All Posts by Anthony M. FreedThe execution of DarkGate Loader ultimately leads to execution of post-exploitation tools such as Cobalt Strike and Meterpreter. This Threat Alert provides an overview of an attack involving DarkGate Loader.
A Microsoft Office code execution vulnerability dubbed “Follina” allows delivery of malware without needing the victim to allow macro execution and is very likely to be mass-exploited. The Cybereason Defense Platform detects and prevents the exploitation of Follina and enables effective hunting of this vulnerability...
The execution of DarkGate Loader ultimately leads to execution of post-exploitation tools such as Cobalt Strike and Meterpreter. This Threat Alert provides an overview of an attack involving DarkGate Loader.
A Microsoft Office code execution vulnerability dubbed “Follina” allows delivery of malware without needing the victim to allow macro execution and is very likely to be mass-exploited. The Cybereason Defense Platform detects and prevents the exploitation of Follina and enables effective hunting of this vulnerability...
Get the latest research, expert insights, and security industry news.
Subscribe