DarkGate gang using CAPTCHA to spread malware

/in


Legal advertising tools are being leveraged by cybercriminals to conceal their illicit campaigns and track victims to see how responsive they are to malware links, an analyst warns.

Hewlett Packard’s latest threat insights disclosure was revealed today (February 15th) and shines a light on DarkGate, a consortium of web-based criminals who are using legal advertising tools to augment their spam-based malware attacks.

Hewlett’s threat research team, HP Wolf Security, says it tracked DarkGate, observed operating as a malware provider since 2018, and noticed a shift in tactics last year that entailed using legitimate advertisement networks “to track victims and evade detection.”

It added: “By using ad services, threat actors can analyze which lures generate clicks and infect the most users – helping them refine campaigns for maximum impact.”

DarkGate targets potential victims with a carefully crafted email phishing campaign that encourages them to click on an infected PDF file – so far, so normal.

But instead of rerouting the target directly to the payload once they do click, the DarkGate campaign sends them to a legitimate online ad network first.

“The ad URL contains identifiers and the domain hosting the file,” said Wolf Security. “In the backend definition of the ad link, the threat actor defines the final URL, which is not shown in the PDF document. Using an ad network as a proxy helps cybercriminals to evade detection and collect analytics on who clicks their links.”

Turning defense into attack

This ploy also allows DarkGate to lean into the ad company’s own defenses – cunningly using these to conceal its own nefarious activities.

“Since the ad network uses CAPTCHAs to verify real users to prevent click fraud, it’s possible that automated malware analysis systems will fail to scan the malware because they are unable to retrieve and inspect the next stage in the infection chain, helping the threat actor to evade detection,” said Wolf Security.

This has the added benefit of making the lure appear more plausible – being routed through a legitimate ad network domain and asked to pass a CAPTCHA test only adds to the campaign’s veneer of…

Source…