Skip to content
/ DarkGate-Install-Script-via-DNS-TXT-Record Public

PoC showcasing new DarkGate Install Script retrieval technique via DNS TXT Record

License

MIT license
36 stars 4 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

knight0x07/DarkGate-Install-Script-via-DNS-TXT-Record

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

7 Commits

Bank-Statement-20231523-poc.pdf.zip

Bank-Statement-20231523-poc.pdf.zip

 
 

Bank-Statement-poc.pdf

Bank-Statement-poc.pdf

 
 

LICENSE

LICENSE

 
 

README.md

README.md

 
 

Repository files navigation

DarkGate Install Script retrieval via DNS TXT Record

Recently, I came across a tweet from Unit 42 showcasing a interesting new technique utilized by DarkGate in order to retrieve DarkGate install script via DNS TXT Records leading to DarkGate infection on the victim machine in their recent campaign.

I developed a PoC for the new DarkGate Install script retrieval technique via DNS TXT Record and uploaded it in the following repo which consists of -

  • PDF with embed link (Name: Bank-Statement-poc.pdf)
  • ZIP Archive (Name: Bank-Statement-20231523-poc.pdf.zip)
    • consists of the LNK (Shortcut) file which retrieves install script via DNS TXT Records (Name: Bank-Statement-20231523-poc.pdf.lnk)

Disclaimer: The PoC does not contain any malicious code =) - also it is a working PoC so you can just use it easily

Infection Chain: Working

Following in the infection chain similar to the one seen in the ITW DarkGate campaign -

At first we open the PDF (Bank-Statement-poc.pdf) which consists of an embedded link which when clicked downloads the ZIP Archive (Bank-Statement-20231523-poc.pdf.zip)

1

The ZIP Archive consists of a LNK (Shortcut) file which once executed runs a command which uses nslookup to retrieve the TXT records from my testing domain "pocdomain[.]linkpc[.]net". Further I customized the LNK command a bit as the one in the ITW sample was unstable. The command then parses & dequotes the retrieved TXT record and saves it in the TEMP Directory as "poc.cmd" and then further executes it.

3

Here in the below screenshot you can see the retrieved TXT record using nslookup for pocdomain[.]linkpc[.]net. As seen the TXT records consists of a command ;)

5

Now as explained previously the commands in the TXT record response are parsed, dequoted and then saved as "poc.cmd" in the TEMP Directory and further executed - which in turn would execute calc.exe | waits for 5 seconds | kills the calc process and deletes the "poc.cmd"

7

The complete process tree along with the commands can be seen below:

6

Also the retrieved TXT record can be seen:

10

In the case of DarkGate ITW sample the TXT records retrieved by the malicious LNK file from the domain consists of commands to download copy of autoit3 and malicious .au3 file further leading to DarkGate infection as shown below

unit42

Image credits - Unit42_Intel

Thanks - knight0x07

About

PoC showcasing new DarkGate Install Script retrieval technique via DNS TXT Record

Topics

dns reverse-engineering malware cybersecurity poc infosec threat-hunting malware-analysis threatintel malware-development threat-intelligence ttp darkgate

Resources

Readme

License

MIT license
Activity

Stars

36 stars

Watchers

4 watching

Forks

4 forks
Report repository

Releases

No releases published

Packages

No packages published