We bring important news about a recent security threat involving the DarkGate malware operation. This new wave of attacks exploits a vulnerability in Windows Defender SmartScreen, a vital security feature designed to warn users about potentially harmful files downloaded from the internet. The flaw, identified as CVE-2024-21412, allows attackers to bypass SmartScreen warnings by utilising specially crafted files. By creating a malicious Windows Internet shortcut, attackers can automatically execute files hosted on remote SMB shares, putting your system at risk. It's crucial to stay informed about this threat and take appropriate measures to protect your devices from potential harm.
In mid-February, Microsoft addressed a security flaw that had been exploited by the financially motivated Water Hydra hacking group. They had used it as a "zero-day" vulnerability to deliver their DarkMe malware onto traders' systems.
Recently, Trend Micro analysts have discovered that the DarkGate operators are now using the same vulnerability to increase their success rate in infecting targeted systems.
This is a notable development for the malware landscape, particularly as DarkGate, alongside Pikabot, has been filling the gap left by the disruption of QBot last summer. It's being utilised by various cyber criminals for distributing malware.
DarkGate attack details
The attack starts with a suspicious email containing a PDF attachment. Inside the PDF, there are links that use tricks from Google DoubleClick Digital Marketing (DDM) to get past email security filters. If someone clicks on these links, they're taken to a compromised website that holds a special internet shortcut file. This file then points to another shortcut hosted on a server controlled by the attacker.
By using one Windows Shortcut to open another Shortcut stored on a distant server, the attackers take advantage of a flaw known as CVE-2024-21412. This flaw makes a harmful MSI file automatically run on the device. These MSI files pretend to be legitimate software from well-known sources like NVIDIA, the Apple iTunes app, or Notion. After running the MSI installer, another flaw is exploited involving a file called "libcef.dll" and a loader named "sqlite3.dll." This allows the DarkGate malware to be decrypted and activated on the system.
Once activated, the malware is capable of various malicious activities including stealing data, fetching additional harmful payloads, injecting them into active processes, logging keystrokes, and granting attackers immediate remote access to the system.
According to Trend Micro, this campaign is using DarkGate version 6.1.7, which includes some significant updates compared to the older version 5. These updates include XOR-encrypted configuration, new configuration options, and changes to the command and control (C2) values.
The new configuration options in DarkGate 6 give its operators more control over how the malware operates. For example, they can decide on tactics to avoid detection, like ensuring the malware starts up every time the system boots or specifying minimum storage and memory requirements to avoid analysis by security environments.
To Sum Up
To start protecting against these attacks, it's important to install Microsoft's February 2024 Patch Tuesday update. This update addresses the vulnerability known as CVE-2024-21412.
Additionally, Trend Micro has shared a comprehensive list of indicators of compromise (IoCs) associated with this DarkGate campaign on their website.
