Quote:DarkGate’s password-stealing component uses NirSoft tools to swipe user credentials, browsers cookies, browser history and Skype chats, enSilo reported. But the attackers seem to clearly favor cryptocurrency credentials, reported blog post authors Zeligson and fellow researcher Rotem Kerner, as the malware “looks for specific strings in the names of windows in the foreground that are related to different kinds of crypto wallets” used for trading on various crypto applications and websites.

Aside from its versatility, DarkGate is also notable in that it practices the act of process hollowing — the act of loading a legitimate process onto a system in order to use it as a wrapper to conceal malicious code. DarkGate abuses the processes vbc.exe or regasm.exe for this purpose, the blog post explains.

The malware also relies on UAC (User Account Control) bypass capabilities to elevate its privileges. For this, it employs two distinct tricks, exploiting both the scheduled task DiskCleanup and the legitimate process file eventvwr.exe, aka the Event Viewer Snapin Launcher.