Home / Industry

DarkGate RAT Comes into the DNS Spotlight

In the past, DarkGate attacks were either lumped together with or classified as BattleRoyal remote access Trojan (RAT) attacks. Recent evidence, however, showed the two malware are not one and the same.

DarkGate has on its own, in fact, been wreaking havoc via attacks launched by various groups. Distributed via fake browser updates, email campaigns powered by the malware have targeted dozens of industries primarily in the U.S. and Canada.

Proofpoint researchers brought DarkGate to light and, in the process, identified eight indicators of compromise (IoCs) comprising five domains and three IP addresses. The Threat Intelligence Platform (TIP) team expanded the IoC list in an effort to enumerate other web properties that could be connected to the threat. Our latest foray into the DNS led to the discovery of:

  • Six registrant organization-connected domains
  • Two email-connected domains
  • Two additional IP addresses, both of which turned out to be malicious
  • 31 IP-connected domains
  • Three string-connected domains

A sample of the additional artifacts obtained from our analysis is available for download from our website.

Shining the Light on the DarkGate IoCs

We began our in-depth DarkGate analysis by taking a closer look at the eight IoCs.

The five domains’ WHOIS records revealed that:

  • Each of them was administered by a different registrar, namely, FastDomain, Inc.; GoDaddy.com LLC; NiceNIC International Group Co. Limited; PDR Ltd.; and Tucows, Inc.
  • One domain each was created in 2010, 2014, and 2022, while two were created in 2023.
  • A majority of them, three to be exact, were registered in the U.S. One each was registered in Mexico and Saint Kitts and Nevis.

  • Two of them had unredacted registrant organizations that we used later on to find connected artifacts.

The three IP addresses’ DNS records showed that:

  • They were administered by three different ISPs, namely, DigitalOcean LLC, Emanuel Hosting Ltd., and MivoCloud SRL.
  • One IP address each was geolocated in a different country. They originated from Moldova, the Netherlands, and the U.S.

Shedding More Light on the DarkGate RAT DNS Infrastructure

To uncover potentially connected artifacts, the first thing we did was to look for other domains that had the same registrant organizations as two of the domain IoCs. Advanced historic reverse WHOIS searches for them using the Registrant Contact: Organization parameter led to the discovery of six connected domains after duplicates and the IoCs were removed.

Two of the registrant organization-connected domains continued to host live content. One—koolstoredeluxe[.]com—pointed to a login page that could be considered suspicious. Note, though, that it is not currently categorized as malicious.

Screenshot of the page hosted on registrant organization-connected domain koolstoredeluxe[.]com
Screenshot of the page hosted on registrant organization-connected domain portadoradeintenciones[.]com

We then uncovered eight email addresses from the historical WHOIS records of the five domain IoCs. Three of them were public and one was shared by two domains after duplicates, the IoCs, and registrant organization-connected domains were filtered out. Only one remained accessible to date even if it led to an error page.

We also found two additional IP addresses to which some of the domain IoCs resolved after removing the IP address IoCs. TIP revealed that while they were both geolocated in the U.S., they were not administered by the same ISP. 50[.]87[.]196[.]173 was under Unified Layer, while 74[.]208[.]41[.]177 was under IONOS SE. Both also turned out to be associated with malware.

One of the additional IP addresses could be dedicated and was shared by 31 connected domains after duplicates and the IoCs were removed. Thirty of them continued to host live content, and one of them—informandoyformando[.]org—was flagged as malicious during our analysis.

Screenshot of the malicious IP-connected domain informandoyformando[.]org

As the final step, we trooped to the DNS to look for string-connected domains. We found three that started with heilee akin to one of the domain IoCs heilee[.]com. Like the domain IoC, they were also unreachable as of this writing.

How Safe Are Browser Updates?

Browser updates should be applied with caution, and DarkGate is proof of that. To gather potentially weaponizable browser update-related domains that are already out there, we dove into the DNS to find out.

Note that we limited our investigation to:

  • Domains and subdomains created just this year, specifically beginning 1 January 2024
  • Domains and subdomains containing the text string browser

Keep in mind that duplicate domains and those already identified as IoCs or connected via email address, IP address, or string usage have also been filtered out.

Our searches led to the discovery of:

  • 162 browser-containing domains
  • 4,595 browser-containing subdomains

We further scrutinized the domains and subdomains to identify other terms that usually appear in web properties that could be weaponized by DarkGate and similar destructive supposed updates. They include:

  • ad
  • ai or gpt (or other specific artificial intelligence [AI] tool names)
  • app
  • bit, coin, or defi (or other specific cryptocurrency names)
  • check
  • detect
  • file
  • game or steam (or other specific game or gaming platform names)
  • pc or mac (or other specific operating system [OS] names)
  • update
  • shop
  • spider

Our TIP IoC expansion analysis of DarkGate turned the spotlight toward the RAT’s infrastructure that apart from the five domains and three IP addresses already identified as IoCs could also include 44 other web properties, particularly six registrant organization-, two email-, 31 IP-, and three string-connected domains and two additional IP addresses. It also turned out that the two IP addresses were malicious.

We also scoured the Web for already existing digital properties that could be poisoned by DarkGate and similar threats and identified terms that usually appear in these web properties.

If you wish to perform a similar investigation or learn more about the products used in this research, please don’t hesitate to contact us.

Disclaimer: We take a cautionary stance toward threat detection and aim to provide relevant information to help protect against potential dangers. Consequently, it is possible that some entities identified as “threats” or “malicious” may eventually be deemed harmless upon further investigation or changes in context. We strongly recommend conducting supplementary investigations to corroborate the information provided herein.

NORDVPN DISCOUNT - CircleID x NordVPN
Get NordVPN  [74% +3 extra months, from $2.99/month]
By Threat Intelligence Platform (TIP), Enterprise-Grade Threat Intelligence APIs, Tools, and Services

Threat Intelligence Platform (TIP) offers easy to use threat intelligence tools, services, and APIs to get detailed information about hosts and the infrastructure behind them. Gathering data from different providers, utilizing our substantial internal databases (compiled for 10+ years), and also real-time host configuration analysis, our threat intelligence solutions provide an in-depth look at target hosts and are an essential addition to any threat detection toolkit.

Visit Page

Filed Under

Comments

Commenting is not available in this channel entry.
CircleID Newsletter The Weekly Wrap

More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

Related

Topics

New TLDs

Sponsored byRadix

Brand Protection

Sponsored byCSC

Domain Names

Sponsored byVerisign

DNS

Sponsored byDNIB.com

Threat Intelligence

Sponsored byWhoisXML API

Cybersecurity

Sponsored byVerisign

IPv4 Markets

Sponsored byIPv4.Global