DarkGate gang using CAPTCHA to spread malware


Legal advertising tools are being leveraged by cybercriminals to conceal their illicit campaigns and track victims to see how responsive they are to malware links, an analyst warns.

HP Wolf Security’s latest threat insights disclosure was revealed today (February 15th) and shines a light on DarkGate, a consortium of web-based criminals who are using legal advertising tools to augment their spam-based malware attacks.

The threat analyst says it tracked DarkGate, observed operating as a malware provider since 2018, and noticed a shift in tactics last year that entailed using legitimate advertisement networks “to track victims and evade detection.”

ADVERTISEMENT

It added: “By using ad services, threat actors can analyze which lures generate clicks and infect the most users – helping them refine campaigns for maximum impact.”

DarkGate targets potential victims with a carefully crafted email phishing campaign that encourages them to click on an infected PDF file – so far, so normal.

But instead of rerouting the target directly to the payload once they do click, the DarkGate campaign sends them to a legitimate online ad network first.

“The ad URL contains identifiers and the domain hosting the file,” said Wolf Security. “In the backend definition of the ad link, the threat actor defines the final URL, which is not shown in the PDF document. Using an ad network as a proxy helps cybercriminals to evade detection and collect analytics on who clicks their links.”

Turning defense into attack

This ploy also allows DarkGate to lean into the ad company’s own defenses – cunningly using these to conceal its own nefarious activities.

“Since the ad network uses CAPTCHAs to verify real users to prevent click fraud, it’s possible that automated malware analysis systems will fail to scan the malware because they are unable to retrieve and inspect the next stage in the infection chain, helping the threat actor to evade detection,” said Wolf Security.

This has the added benefit of making the lure appear more plausible – being routed through a legitimate ad network domain and asked to pass a CAPTCHA test only adds to the campaign’s veneer of legitimacy.

ADVERTISEMENT

Intriguingly, DarkGate’s criminal service appears to cater to an exclusive clientele and costs thousands of dollars. Wolf Security says this implies that the group’s tools are aimed at elite cybercriminals and not amateurs or ‘script kiddies.’

“DarkGate’s developer claims to limit the number of active subscribers to its malware service to 30 customers, suggesting that the threat actors using this malware are vetted and more capable than your average cybercriminal,” said Wolf Security.

Elitism paying off

This highbrow approach appears to be paying off for DarkGate and its crook customers, and Wolf Security believes that even well-trained employees may be fooled by the campaign.

“The threat actor behind these campaigns is adept at creating persuasive social engineering lures that are difficult to spot, even for employees who have completed phishing awareness training,” it said.

“In these campaigns, malicious PDF attachments were emailed to targets. When opened, the recipient is shown a social engineering image,” it added. “In many cases, these images imitate error messages from OneDrive and other cloud services.”

Alex Holland, senior malware analyst at Wolf Security, said this approach only heightens DarkGate’s chances of success.

“Cybercriminals are becoming adept at getting into our heads and understanding how we work,” he said. “For instance, the design of popular cloud services is always being refined, so when a fake error message appears, it won’t necessarily raise an alarm, even if a user hasn’t seen it before.”

NB: An earlier version of this article was amended to remove an incorrect reference to Hewlett Packard.

ADVERTISEMENT