Financially Motivated Threat Actors Enter Through The DarkGate

After the FBI disrupted Qakbot DarkGate loader distribution spiked targeting the financial sector in Europe and the US linked to cybercrime groups like TA577 and Ransomware-as-a-Service entities such as BianLian and Black Basta.DarkGate is often used as an initial access vector allowing threat actors to deploy additional payloads including information stealers and ransomware. DarkGate uses phishing and shares traits with IcedID hinting at possible collusion or shared methods among cyber criminals. It employs various tactics to avoid detection and maintain persistence including an internal payload crypter privilege escalation antivirus evasion and a rootkit module. Recent developments in the malware make use of malicious DNS TXT records for payload delivery and the abuse of Googles DoubleClick service to bypass security measures and version 6.1.6 introduced DLL side-loading to avoid detection.