14 March 2024

DarkGate malware exploits recently patched Windows SmartScreen zero-day bug


DarkGate malware exploits recently patched Windows SmartScreen zero-day bug

Trend Micro analysts have uncovered a sophisticated DarkGate malware campaign, which has been exploiting a recent Windows SmartScreen vulnerability as a zero-day to distribute malware since mid-January 2024.

Tracked as CVE-2024-21412, zero-day is a Microsoft Defender SmartScreen bypass vulnerability. The issue exists due to improper input validation when handling Internet shortcut files. A remote attacker can trick the victim into clicking on a specially crafted shortcut file and executing arbitrary code on the system. The flaw was fixed as part of Microsoft’s February 2024 Patch Tuesday updates.

Trend Micro reported back in February that CVE-2024-21412 was exploited as part of a sophisticated zero-day attack chain by a threat actor tracked as Water Hydra (aka DarkCasino) that targeted financial market traders. Now the company has released a more detailed technical write-up on the campaign.

The DarkGate campaign utilized a multi-pronged approach to target victims, with the primary method involving the exploitation of CVE-2024-21412 via fake software installers. These installers, disguised as legitimate applications such as Apple iTunes, Notion, and NVIDIA software, contained a sideloaded DLL file that decrypted and infected users with the DarkGate malware.

One of the notable aspects of this campaign is the use of PDFs containing Google DoubleClick Digital Marketing (DDM) open redirects. These redirects led users to compromised sites hosting the Microsoft Windows SmartScreen bypass exploit, ultimately leading to the download of malicious .MSI installers.

DarkGate, operating on a malware-as-a-service (MaaS) model, is a popular tool among financially motivated threat actors across the globe. The malware was used by cybercriminals to target organizations in North America, Europe, Asia, and Africa.


Back to the list

Latest Posts

Cyber Security Week in Review: September 6, 2024

Cyber Security Week in Review: September 6, 2024

In brief: the US charges Russian GRU hackers for attacks on Ukraine, Apache, Cisco, Zyxel patch high-risk flaws, Google fixes Android zero-day, and more.
6 September 2024
Threat actors using MacroPack Red Team framework to deploy Brute Ratel, Havoc and PhantomCore

Threat actors using MacroPack Red Team framework to deploy Brute Ratel, Havoc and PhantomCore

Some of the documents appeared to be part of legitimate Red Team exercises, while other were intended for malicious purposes.
5 September 2024
US seizes 32 domains linked to Russian Doppelganger influence campaign

US seizes 32 domains linked to Russian Doppelganger influence campaign

The domains, used to disseminate propaganda, were seized as part of a broader effort to disrupt Russia’s attempts to interfere in the 2024 US Presidential Election.
5 September 2024