Comment
Author: Admin | 2025-04-28
For executing the binary code. The steps involved in the technique are:Loads the binary code from shell.txt into the process memoryCopies the data into an executable memory space (DLLStructCreate and DllStructSetData)Invokes CallWindowProc with reference to our binary code as the lpPrevWndFunc parameterFIGURE 5: THE DE-OBFUSCATED AUTOIT SCRIPT Finally, in the fourth and final stage of the unpacking technique, the binary code originally loaded from shell.txt performs the followings actions:Searches for the executable file, which is also the name of an executable found in Kaspersky AV.Reads the dropped file “pe.bin” and decrypts it.Uses process hollowing to inject the decrypted code from pe.bin into the process “vbc.exe”.We discovered that if DarkGate detects the presence of Kaspersky AV, it loads the malware as part of the shellcode rather than using the process hollowing method. The decrypted pe.bin file is the core of DarkGate. The core is responsible for its communication with the C&C (Command and Control) server and for executing commands received from it.Let’s summarize this four-stage unpacking technique 1. The initial dropper code is delivered using VBScript, which drops all the relevant files:autoit3.exetest.au3pe.binshell.txtautoit3.exetest.au3pe.binshell.txtautoit3.exeautoit3.exeautoit3.exetest.au3pe.binshell.txt autoit3.exetest.au3pe.binshell.txtOnce, delivered it then runs the AutoIt script. 2. The AutoIt script runs using the AutoIt interpreter, which decrypts the binary code and loads it into memory.3. The binary code then executes and attempts to avoid detection by Kaspersky AV.4. The final binary is decrypted and executed.FIGURE 6: THE FOUR STAGES OF THE UNPACKING TECHNIQUE The final binary copies all files from “C:\{computer_name} “ to a new folder under “C:\Program data” with the name derived from the first eight digits of the user generated id (ID2 - explained later on).The final binary installs a key in the registry designed to help it maintain persistency under the key: “\SOFTWARE\Microsoft\Windows\CurrentVersion\Run”.The key name is the first eight digits of the user-generated id, and the value is the AutoIt script that was copied from C:\{computer_name} to the “program data” folder, as shown below in Figure 7:FIGURE 7: EXAMPLE OF REGISTRY KEY USED TO ESTABLISH PERSISTENCY Cryptocurrency MiningThe first connection the malware makes to the C&C server is to get the file it needs to start the cryptocurrency mining process. FIGURE 8: RETRIEVING THE FILE As shown in Figure 9, the command “startminer” is sent as part of the response in order to tell the malware to start mining and to separate the different parts of the message. The first part is encrypted into config.bin - that is the miner command line. The second part is written in cpu.bin, and when decrypted is the miner executable. The mining itself is done through the process “systeminfo.exe” by using process hollowing.FIGURE 9: RETRIEVING THE CRYPTO MINER PAYLOAD Stealing Crypto Wallet CredentialsAnother capability of the malware is
Add Comment