A brand new wave of assaults by the DarkGate malware operation exploits a now-fixed Home windows Defender SmartScreen vulnerability to bypass safety checks and mechanically set up faux software program installers.
SmartScreen is a Home windows safety function that shows a warning when customers try to run unrecognized or suspicious recordsdata downloaded from the web.
The flaw tracked as CVE-2024-21412 is a Home windows Defender SmartScreen flaw that enables specifically crafted downloaded recordsdata to bypass these safety warnings.
Attackers can exploit the flaw by making a Home windows Web shortcut (.url file) that factors to a different .url file hosted on a distant SMB share, which might trigger the file on the ultimate location to be executed mechanically.
Microsoft fastened the flaw in mid-February, with Development Micro disclosing that the financially motivated Water Hydra hacking group beforehand exploited it as a zero-day to drop their DarkMe malware onto merchants’ methods.
Right this moment, Development Micro analysts reported that DarkGate operators are exploiting the identical flaw to enhance their probabilities of success (an infection) on focused methods.
It is a important growth for the malware, which, along with Pikabot, has stuffed the void created by QBot’s disruption final summer time and is utilized by a number of cybercriminals for malware distribution.
DarkGate assault particulars
The assault begins with a malicious e mail that features a PDF attachment with hyperlinks that make the most of open redirects from Google DoubleClick Digital Advertising (DDM) providers to bypass e mail safety checks.
When a sufferer clicks on the hyperlink, they’re redirected to a compromised internet server that hosts an web shortcut file. This shortcut file (.url) hyperlinks to a second shortcut file hosted on an attacker-controlled WebDAV server.
Supply: Development Micro
Utilizing one Home windows Shortcut to open a second Shortcut on a distant server successfully exploits the CVE-2024-21412 flaw, inflicting a malicious MSI file to execute mechanically on the system.
Supply: Development Micro
These MSI recordsdata masqueraded as reliable software program from NVIDIA, the Apple iTunes app, or Notion.
Upon execution of the MSI installer, one other DLL sideloading flaw involving the “libcef.dll” file and a loader named “sqlite3.dll” will decrypt and execute the DarkGate malware payload on the system.
As soon as it is initialized, the malware can steal knowledge, fetch further payloads and inject them into working processes, carry out key logging, and provides attackers real-time distant entry.
The complicated and multi-step an infection chain employed by DarkGate operators since mid-January 2024 is summarized within the beneath diagram:
Supply: Development Micro
Development Micro says this marketing campaign employs DarkGate model 6.1.7, which, in comparison with the older model 5, options XOR-encrypted configuration, new config choices, and updates on the command and management (C2) values.
The configuration parameters out there in DarkGate 6 allow its operators to find out numerous operational ways and evasion methods, equivalent to enabling startup persistence or specifying minimal disk storage and RAM dimension to evade evaluation environments.
Supply: Development Micro
Step one to mitigate the chance from these assaults could be to use Microsoft’s February 2024 Patch Tuesday replace, which fixes CVE-2024-21412.
Development Micro has revealed the entire listing of the symptoms of compromise (IoCs) for this DarkGate marketing campaign on this webpage.