Cybergang DarkGate Uses CAPTCHA to Spread Malware

This post is also available in: עברית (Hebrew)

HP Wolf Security’s latest threat insights disclosure put a spotlight on DarkGate – a group of web-based criminals using legal advertising tools to enhance their spam-based malware attacks.

The security report claims DarkGate has been operating as a malware provider since 2018, with an apparent shift in tactics last year of using legitimate advertisement networks “to track victims and evade detection.” The claims are that by using ad services, threat actors can analyze which lures generate clicks and infect the most users – helping them refine campaigns for maximum impact.

According to Cybernews, DarkGate targets potential victims with an email phishing campaign that encourages them to click on an infected PDF file. Then instead of rerouting the target directly to the payload upon clicking it, the DarkGate campaign sends them to a legitimate online ad network first. “Using an ad network as a proxy helps cybercriminals to evade detection and collect analytics on who clicks their links,” reads the report, which allows DarkGate to lean into the ad company’s own defenses and use them to conceal its malicious activities.

“Since the ad network uses CAPTCHAs to verify real users to prevent click fraud, it’s possible that automated malware analysis systems will fail to scan the malware because they are unable to retrieve and inspect the next stage in the infection chain, helping the threat actor to evade detection,” explained Wolf Security.

Another advantage of being routed through a legitimate ad network domain and asked to pass a CAPTCHA test is that it makes the whole situation appear more plausible and adds to the campaign’s guise of legitimacy.

Furthermore, it seems that DarkGate’s criminal service costs thousands of dollars and therefore caters to exclusive clientele, which according to Wolf Security implies that the group’s tools are aimed not at amateurs but at elite cybercriminals.

It seems that this approach is paying off for DarkGate and its customers, and the report claims that even well-trained employees can be fooled by this campaign – “The threat actor behind these campaigns is adept at creating persuasive social engineering lures that are difficult to spot, even for employees who have completed phishing awareness training.”