Hackers Exploit Windows SmartScreen Flaw to Drop DarkGate Malware

Windows has a security feature called SmartScreen that will display a warning when a user attempts to download an unrecognized or suspicious file from the internet. Last month, Microsoft fixed a bug (CVE-2024-21412) that allows actors to create specially crafted files to bypass displayed security checks. A new report from Trend Micro indicates that actors behind DarkGate malware are now abusing the bug to infect potential victims with the loader binary. One of the attacks observed by Trend Micro initiates with the actors sending a malicious email to the victim that contains a PDF attachment with links that employ open redirects from Google DoubleClick Digital Marketing (DDM) services to bypass email security checks. If a victim falls for the lure and clicks on the link, they are then redirected to an actor-controlled web server hosting an internet shortcut file, which further points to another shortcut file hosted on a WebDAV server. Researchers note that this method of using one shortcut file to open another shortcut file successfully bypasses CVE-2024-21412, further leading to the execution of an MSI file on the device. Notable about this MSI file is that it masquerades as legitimate software including NVIDIA, the Apple iTunes app, and Notion, a method used to bypass security defenses on the victim’s system. The MSI file upon execution will then initiate the decryption and execution of DarkGate malware, which can be further used by adversaries to steal data, fetch additional payloads and inject them into running processes, perform keylogging, and much more.

Security Officer Comments:
The development comes after Trend Micro reported that CVE-2024-21412 was exploited as a zero-day by Water Hydra, a financially motivated hacking group, to deploy DarkMe malware on targeted systems. The latest exploitation attempts highlight a continuation of actors abusing the SmartScreen bypass to deploy loader malware which can be further used by the adversaries to fetch other malicious payloads. In the campaign employing DarkGate malware, researchers note that the actors are using a new version of the binary, which comes with new configuration options and updates to C2 values. Notably, the new configuration options allow operators to enable startup persistence and specify the minimum disk storage and RAM size to avoid analysis tools.

Suggested Corrections:
Users should ensure that they have applied the necessary patches released by Microsoft to address CVE-2024-21412. Given that an actor would need to convince the victim to open a malicious file for successful exploitation of CVE-2024-21412, end users should be careful not to open links in attachments in emails that come from unknown senders.

Trend Micro has also published a set of IOCs for the latest campaign which can be used for detection purposes: