Recently, I came across a tweet from Unit 42 showcasing a interesting new technique utilized by DarkGate in order to retrieve DarkGate install script via DNS TXT Records leading to DarkGate infection on the victim machine in their recent campaign.
I developed a PoC for the new DarkGate Install script retrieval technique via DNS TXT Record and uploaded it in the following repo which consists of -
- PDF with embed link (Name: Bank-Statement-poc.pdf)
- ZIP Archive (Name: Bank-Statement-20231523-poc.pdf.zip)
- consists of the LNK (Shortcut) file which retrieves install script via DNS TXT Records (Name: Bank-Statement-20231523-poc.pdf.lnk)
Disclaimer: The PoC does not contain any malicious code =) - also it is a working PoC so you can just use it easily
Following in the infection chain similar to the one seen in the ITW DarkGate campaign -
At first we open the PDF (Bank-Statement-poc.pdf) which consists of an embedded link which when clicked downloads the ZIP Archive (Bank-Statement-20231523-poc.pdf.zip)
The ZIP Archive consists of a LNK (Shortcut) file which once executed runs a command which uses nslookup to retrieve the TXT records from my testing domain "pocdomain[.]linkpc[.]net". Further I customized the LNK command a bit as the one in the ITW sample was unstable. The command then parses & dequotes the retrieved TXT record and saves it in the TEMP Directory as "poc.cmd" and then further executes it.
Here in the below screenshot you can see the retrieved TXT record using nslookup for pocdomain[.]linkpc[.]net. As seen the TXT records consists of a command ;)
Now as explained previously the commands in the TXT record response are parsed, dequoted and then saved as "poc.cmd" in the TEMP Directory and further executed - which in turn would execute calc.exe | waits for 5 seconds | kills the calc process and deletes the "poc.cmd"
The complete process tree along with the commands can be seen below:
Also the retrieved TXT record can be seen:
In the case of DarkGate ITW sample the TXT records retrieved by the malicious LNK file from the domain consists of commands to download copy of autoit3 and malicious .au3 file further leading to DarkGate infection as shown below
Image credits - Unit42_Intel
Thanks - knight0x07