Vade’s Threat Intelligence and Response Center – (now part of Hornetsecurity!) recently observed a number of malicious phishing campaigns distributing Darkgate using an unusual technique called Pastejacking. DarkGate is a sophisticated and evolving malware family, first documented in 2018, and used for information stealing and remote access capabilities and known to employ advanced evasion techniques to avoid detection by antivirus software and other security measures.
In this article, we present a step-by-step breakdown of how attackers are attempting to deliver Darkgate via pastejacking based on real emails intercepted by our email security solutions.
NOTE: The below analysis contains many defanged URLs (hxxps instead of https). This is done to protect the reader from accidental clicks. It goes without saying that this documentation is provided for research purposes, and you should NOT attempt to utilize the below URLs in any way unless you’re a trained security professional. Hornetsecurity is not liable for any damage arising from the use of this information.
