New DarkGate malware is both a ransomware and a cryptominer targeting victims in Europe
- The malware also comes with advanced anti-evasion techniques and is can gain remote control of targeted systems.
- The malware is currently being delivered via Torrent files.
DarkGate is a new sophisticated malware that has both ransomware and cryptomining components. The malware also uses several advanced anti-analysis techniques, such as using vendor-specific checks, to evade detection.
The malware is also capable of downloading and executing multiple payloads including stealing cryptocurrencies from wallets, as well as gaining remote control of targeted systems. The malware was found targeting Spain and France. Although the malware comes with a wide range of functionalities designed to steal money, security researchers are unclear as to whether the motive of the malware is entirely financial gain.
“As part of our normal research activities, we occasionally perform a controlled infection of what seemed to be a legitimate user endpoint. The controlled infection is performed in order to investigate several aspects of the malware, as well as reactivity of the malware operator,” security researchers at enSilo, who discovered DarkGate, wrote in a blog.
“For example, in one of the encounters our research team was able to determine the operator detected our activity and immediately responded to our activity by infecting the test machine with a customized piece of ransomware,” the researchers added.
According to the researchers, DarkGate shares similarities with another data-stealing malware called Golroted. Apart from its cryptominer and ransomware components, DarkGate is also capable of keylogging. What is more, it is also capable of stealing credentials, browser data, Skype chats, and more.
“enSilo observed that the author behind this malware established a reactive Command and Control infrastructure which is staffed by human operators who act upon receiving notifications of new infections with crypto wallets,” enSilo researcher said. “When the operator detects any interesting activity by one of the malware, they then proceed to install a custom remote access tool on the machine for manual operations.”