A new, active campaign is using malware capable of dancing around traditional antivirus solutions in order to empty cryptocurrency wallets.
The malware is being used in the DarkGate campaign, a previously undetected hacking operation uncovered this week by enSilo security researchers.
According to the team, DarkGate is currently underway in Spain and France, targeting Microsoft Windows PCs by way of torrent files.
Torrent files are most commonly associated with pirated content, but the technology itself is not illegal and can be used by consumers and businesses alike to share files of large sizes. In this case, however, the infected .torrent files masquerade as pirated versions of popular television shows and films including The Walking Dead.
The DarkGate malware uses a variety of obfuscation techniques to circumvent traditional antivirus solutions. The malware's command-and-control (C2) structure, which allows operators to send commands remotely and for the malware to transfer stolen data, is cloaked in DNS records from legitimate services including Akamai CDN and AWS.
By hiding the C2 under the skirts of reputable DNS services, this allows the malware to pass a reputation check when it comes to shady services or bulletproof hosting platforms which have become associated with malware and criminal campaigns.
In addition, DarkGate uses vendor-based checks and actions, including a method known as "process hollowing" to avoid detection by AV software. This technique requires a legitimate software program to be loaded in a suspended state -- but only to act as a container for malicious processes which are then able to operate instead of the trustworthy program.
DarkGate will also perform a number of checks in an attempt to ascertain whether or not it has landed in a sandbox environment -- used by researchers to analyze and unpack malicious software -- and will perform a scan for common AV systems, such as Avast, Bitdefender, Trend Micro, and Kaspersky.
The malware also makes use of recovery tools to prevent files critical to its operation from being deleted.
enSilo says that the malware author "invested significant time and effort into remaining undetected," and during testing, it was found that "most AV vendors failed to detect it."
When executed, DarkGate implements two User Account Control (UAC) bypass techniques in order to gain system privileges, download, and execute a range of additional malware payloads.
These packages give DarkGate the ability to steal credentials associated with a victim's cryptocurrency wallets, execute ransomware payloads, create a remote access tunnel for operators to hijack the system, and also implement covert cryptocurrency mining operations.
According to enSilo, the C2 is overseen by human operators who act when they are alerted to new infections related to cryptocurrency wallets by installing the remote access tools necessary to compromise virtual coin funds.
Researchers from enSilo expect the malware to continue to evolve in the future. The analysis also revealed that DarkGate is connected to the Golroted password-stealing malware family, which also uses similar process hollowing and UAC techniques.
"It is clear that DarkGate is under constant development for it is being improved with every new variant," the team says. "While cryptocurrency mining, crypto stealing, and ransomware capabilities suggest the goal is financial gain, it's not clear if the author has another motive. Further investigation is required to determine the ultimate motivations behind the malware."