DarkGate new version

Jane0sint · April 27, 2024, 11:07am

Hello, please consider adding a rule to the darkgate version 6.5.1
Current changes affected the lack of loading of stagers and additional payload, somewhat noisy beconing to C2 (70-80 bytes) and a change in the user agent in the HTTP header
app.any.run/tasks/bdc94e5f-13f7-4499-8321-28eec420f673
Search by tag darkgate

alert http any any -> any any (msg: "ET MALWARE [ANY.RUN] DarkGate HTTP POST Activity (TA577)";
flow: established, to_server; 

http.method;
content: "POST"; 
urilen: 1; 

http.header;
content: "Keep-Alive: 300";
content: "Connection: keep-alive"; distance: 0;
content: "Content-Type: Application/octet-stream"; distance: 0;
content: "Content-Length: 74|0d0a|"; distance: 0;

http.user_agent; 
content: "Mozilla/5.0 (Windows NT 10.0|3b| Win64|3b| x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36"; 

http.header_names;
content: "|0d0a|Host|0d 0a|Keep-Alive|0d 0a|Connection|0d 0a|User-Agent|0d 0a|Content-Type|0d 0a|Content-Length|0d 0a 0d 0a|";
startswith; 

http.request_body;
pcre: "/^[a-zA-Z0-9=+]{74}$/";
content: !"="; endswith;

threshold: type both, track by_dst, seconds 30, count 7;
reference:md5,41f79463a8c3f98272fd22bad16c7393;
reference:url,community.emergingthreats.net/t/darkgate-new-version;
metadata: malware_family darkgate, created_at 2024_04_26; 
classtype: command-and-control;
sid: 1; rev: 1;)

Have a nice day

ishaughnessy · April 29, 2024, 5:29pm

thanks for the tip @Jane0sint! We’ll get this in today’s release

Jane0sint · April 29, 2024, 5:55pm

Hello, I added one more check related to the fact that darkgate never uses the equal sign at the end of the encoded text.
content: !“=”; endswith;

ishaughnessy · April 30, 2024, 3:26pm

@Jane0sint - Here is the sid, it looks like I missed that content: !"="; endswith; negation so I’ll get that updated today.

2052283 - ET MALWARE [ANY.RUN] DarkGate HTTP POST Activity (TA577)

Jane0sint · April 30, 2024, 5:04pm

Thank you, for some reason I thought that needed to add this check. I’m still worried that the content might be mismatched with base64 padding, such a check wouldn’t hurt. Thanks again, all the best!

rgonzalez · May 6, 2024, 6:14pm

Thanks @Jane0sint always for your contributions!

Topic		Replies	Views
DarkGate Rule Signatures	4	446	December 28, 2023
DarkCrystal RAT Rule Signatures	13	797	January 2, 2024
Inconsistency between the rules 2049660 & 2049661 and the family Rule Signatures	1	205	December 19, 2023
ObserverStealer Rule Signatures	5	558	June 23, 2023
WhiteSnake Rule Signatures	4	288	June 17, 2024

DarkGate new version

Related Topics