McAfee Labs discovered the Darkgate Menace associated with a Remote Access Trojan (RAT) named DarkGate, which uses an infection chain starting with an HTML entry point and exploiting AutoHotkey in later stages. The malware, marketed as Malware-as-a-Service (MaaS), includes capabilities like process injection, file download, and execution, keylogging, etc. DarkGate also employs evasion tactics to bypass Defender Smartscreen, leading Microsoft to release patches
The infection chain involves phishing HTML and XLS files, with the malware attempting to execute VBScript, PowerShell commands, and utilizing AutoHotkey for malicious activities. Persistence is achieved by dropping .lnk files in the startup folder. McAfee suggests various mitigation strategies, such as verifying sender information, being cautious with email content, keeping security software updated, and provides Indicators of Compromise (IoC) for detection. ```https://www.mcafee.com/blogs/other-blogs/mcafee-labs/the-darkgate-menace-leveraging-autohotkey-attempt-to-evade-smartscreen/