Flash Report: DarkGate Popularity Prompts Pause on New User Support

Key Findings

• The resurgence in popularity of DarkGate malware has prompted its founder to discontinue support for new users—a move that ZeroFox assesses is temporary and will lead to a larger number of threat actors deploying this tool, particularly in light of this malware hitting the news cycle.  

• Threat actors continue to praise DarkGate for its effectiveness, which was displayed in a recent phishing campaign using Microsoft Teams as a lure.

Analyst Commentary

The resurgence in the popularity of DarkGate malware has prompted its founder to discontinue support for new users. ZeroFox assesses this move is temporary and will lead to a larger number of threat actors deploying this tool. On September 6, 2023, developer and well-regarded threat actor “RastaFarEye” announced that the DarkGate malware project is popular and has now sold 30 licenses to monthly users. In this update, the threat actor noted that their current team cannot support any additional users and, therefore, the sale of licenses is currently suspended (see Figure 1). Of note, this is 20 more licenses than the original 10 the threat actor advertised in June 2023.

Figure 1. RastaFarEye announced they have 30 monthly users of the DarkGate malware and will not sell additional licenses

Source: ZeroFox Intelligence

Threat actors continue to praise DarkGate for its effectiveness, which was displayed in a recent phishing campaign using Microsoft Teams as a lure. RastaFarEye’s original advertisement continues to receive high praise and an above-average amount of interest from peer threat actors. ZeroFox researchers assess that the positive feedback was partially generated by the threat actor’s continual updates to the DarkGate malware project that have provided additional features and bug fixes.

Attention from peer threat actors is a significant metric in the underground. Positive reviews from other threat actors further reinforce an offering’s perceived value in the underground. Given that threat actors operate in an environment full of deception, these testimonials could add weight to the malware's credibility. The above-average engagement on the thread likely indicates its prominence in threat actor circles. ZeroFox researchers observed feedback from peer threat actors stating (see Figures 2-3):

• The malware works as advertised.
• The threat actor is quick to respond and reputable. 
• The malware is difficult to reverse.

Figure 2. Peer threat actor praising DarkGate malware and threat actor RastaFarEye
Source: ZeroFox Intelligence

Figure 3. Peer threat actor praising DarkGate malware, claiming it is difficult to reverse engineer
Source: ZeroFox Intelligence

ZeroFox researchers have identified channels the threat actor uses to market the malware. Initially, updates were advertised on both the deep web Russian-language forums, Exploit and XSS. This multi-platform approach increases visibility and the potential customer base. Researchers observed a shift in this trend, with the latest updates exclusively being promoted on Exploit. 

As previously reported in Volume 3: Issue 12 of ZeroFox’s The Underground Economist, the threat actor has updated the DarkGate malware 17 times (see Figures 4-8). The most notable updates the malware has received:

• Enhance the rootkit
• Establish persistence on a machine even when files are removed from the installation folder
• Contain hidden startup methods
• Enhance obfuscation that most antivirus products, including Windows Defender, do not detect as malicious 
• Bind multiple files into generated stub for easier distribution of malware
• Scan for open ports specified by the operator
• Prevent the malware from running on machines in CIS countries
• Bypass Cloudflare headers to show real IP addresses

Figure 4. Post by RastaFarEye announcing update featuring enhanced rootkit
Source: ZeroFox Intelligence

Figure 5. Post by RastaFarEye announcing update featuring persistence module
Source: ZeroFox Intelligence

Figure 6. Post by RastaFarEye announcing the non-detectability of malicious nature of malware by most commercial antivirus products 
Source: ZeroFox Intelligence

Figure 7. Post by RastaFarEye announcing that Windows Defender
will not detect downloads made by the malware as malicious
Source: ZeroFox Intelligence

Figure 8. Post by RastaFarEye announcing file binder
and positive feedback from peer threat actor “robber666”
Source: ZeroFox Intelligence