⬆ = trending up from previous month
⬇= trending down from previous month
➡ = no change in rank from previous month
*Denotes a tie
Observations on trending threats
In this month’s top 10, Charcoal Stork and Gamarue retained their respective places at 1 and 2 from last month, followed by several of our usual suspects. Raspberry Robin climbed to 4, the highest it’s been in the rankings since May 2023. Yellow Cockatoo, which reappeared in June 2023 after an almost year-long hiatus, decreased enough in activity to land at 8. BloodHound made it to the top 10 for the first time since April 2023, tied for 9 with Cobalt Strike.
DarkGate crashes the party
We have one newcomer to the top 10 this month. DarkGate, a loader offered on cybercrime forums as Malware-as-a-Service (MaaS) and typically distributed via phishing, makes its first appearance at spot 6.
DarkGate has been around as a malware family since 2018. Its developers began offering it as MaaS in June 2023, which increased its use exponentially. Red Canary’s first known observation of DarkGate was in late August 2023, with its use increasing over the course of September. In late September, TA577 began distributing DarkGate as one of their phishing payloads – along with IcedID and Pikabot – to replace Qbot post-takedown. This is only one example of the multiple adversaries currently distributing DarkGate as a payload. Red Canary has directly observed multiple distinct delivery methods, further evidence of its use by multiple groups.
DarkGate’s popularity is likely due to a number of built-in features, including defense evasion, command & control (C2), and persistence capabilities. It also has the ability to download and execute additional payloads. DarkGate has reportedly been seen as part of pre-ransomware activity, making it a significantly higher risk if detected in your environment.
One way we have seen DarkGate delivered is through a
.zip archive containing a Visual Basic Script (
.vbs) loader. The file is often located in the
AppData\Local directory and contains the victim username, like in this example:
This file location, plus the use of
cscript.exe to execute the
.vbs file, gives us a detection opportunity.
.vbs files that originate from a
.zip file, from the %APPDATA% directory
The following pseudo-detection analytic identifies
.vbs files from the %APPDATA% directory, specifically files that originate from a
.zip file. Typically the
.vbs file is a dropper that reaches out to external resources to download additional payloads like DarkGate. If the
.vbs executes successfully, there will be follow-on file modifications, network connections, and/or child processes.
process == (wscript.exe, cscript.exe)
command_includes (appdata, .zip, .vbs)
has filemod OR childproc OR netconn