Windows SmartScreen Vulnerability Used To Drop DarkGate

Security researchers at Trend Micro have discovered a DarkGate malware campaign using a vulnerability already patched in Windows Defender’s Smart Screen utility.

Windows SmartScreen Vulnerability Used To Drop DarkGate

Summarizing their discovery, they stated,

The Zero Day Initiative (ZDI) recently uncovered a DarkGate campaign in mid-January 2024, which exploited CVE-2024-21412 through the use of fake software installers. During this campaign, users were lured using PDFs that contained Google DoubleClick Digital Marketing (DDM) open redirects that led unsuspecting victims to compromised sites hosting the Microsoft Windows SmartScreen bypass CVE-2024-21412 that led to malicious Microsoft (.MSI) installers. The phishing campaign employed open redirect URLs from Google Ad technologies to distribute fake Microsoft software installers (.MSI) masquerading as legitimate software, including Apple iTunes, Notion, NVIDIA, and others. The fake installers contained a sideloaded DLL file that decrypted and infected users with a DarkGate malware payload.

The vulnerability, tracked as CVE-2024-21412, was first discovered by Trend Micro when a threat group going by Water Hydra was seen exploiting the flaw. In this instance, if properly exploited, the flaw will allow the attacker to send the targeted user a specially crafted file designed to bypass displayed security checks.

This was done to drop the DarkMe malware on targeted machines, often belonging to traders, to carry out financially motivated cybercrime.

Regarding this campaign, researchers stated,

In late December 2023, we began tracking a campaign by the Water Hydra group that contained similar tools, tactics, and procedures (TTPs) that involved abusing internet shortcuts (.URL) and Web-based Distributed Authoring and Versioning (WebDAV) components. In this attack chain, the threat actor leveraged CVE-2024-21412 to bypass Microsoft Defender SmartScreen and infect victims with the DarkMe malware. In cooperation with Microsoft, the ZDI bug bounty program worked to disclose this zero-day attack and ensure a rapid patch for this vulnerability. Trend also provides protection to users from threat actors that exploit CVE-2024-21412 via the security solutions that can be found at end of this blog entry.

Microsoft fixed the flaw in mid-February. However, given how individuals and organizations are historically slow to patch systems, opportunities exist for other threat actors to exploit the vulnerability. Those behind the DarkGate malware appear to be so inclined. DarkGate threat actors seem to be using the flaw to increase their chances of carrying out a successful infection.

DarkGate operates as a Malware-as-a-Service and has operated since 2018. This malware is a complete toolkit that provides attackers with extensive capabilities to compromise victim systems fully. Based on available threat intelligence, it is being developed by a malware developer named RastaFarEye on underground hacking forums.

DarkGate is offered through a subscription-based model costing up to 15,000 USD per month, justifying the high price tag by claiming the malware has been under continual development since 2018, with some reports suggesting 2017.

The malware surged in popularity in 2021 with a version that already included many of the features we have seen in the current version of DarkGate, like the usage of AutoIt to load the final payload and a full Remote Access Trojan (RAT) module to control remote systems.

In June 2023, RastaFarEye advertised a version of DarkGate on hacker forums, including new features such as hVNC, file manager, Discord and Browser stealer, keylogger, and a rootkit module.

The developer promised total evasion of any security products, with a complete command and control panel for buyers to conveniently control the bots, while a definite sales pitch is needed. These are requirements that threat actors need. The use of the vulnerability mentioned above is seen as a significant development in the malware’s tool set.

DarkGate Attack

According to Trend Micro, this latest DarkGate campaign begins with a malicious email that includes a PDF attachment with links that make use of open redirects from Google DoubleClick Digital Marketing (DDM) services. This is done to bypass email security and spam checks.

If the victim clicks on the link, they are redirected to a compromised web server that hosts an internet shortcut file. This shortcut file (.url) links to a second shortcut file hosted on an attacker-controlled WebDAV server.

A Windows shortcut file is then used to open yet another shortcut stored on a remote server. This is used to exploit the vulnerability and then execute a malicious MSI file. This malicious file executes automatically due to exploitation of the vulnerability.

In instances witnessed by security researchers, the MSI file masqueraded as legitimate software from NVIDIA, the Apple iTunes app, or as Notion related file. The MSI will then fetch and execute the DarkGate malware payload.

This complicated infection chain, summarized here and in greater detail provided by Trend Micro, assists attackers in being detected by security software and makes analysis a far more challenging prospect.

Researchers concluded,

In this research, a follow-up to our Water Hydra APT Zero Day campaign analysis, we explored how the DarkGate operators were able to exploit CVE-2024-21412 as a zero-day attack to deploy the complex and evolving DarkGate malware. We also explored how security bypass vulnerabilities can be used in conjunction with open redirects in technologies such as the Google Ads ecosystem to proliferate malware and abuse the inherent trust that organizations have in basic web technologies.

▼ Show Discussion

About the author:

Karolis Liucveikis

Karolis Liucveikis - experienced software engineer, passionate about behavioral analysis of malicious apps.

Author and general operator of PCrisk's "Removal Guides" section. Co-researcher working alongside Tomas to discover the latest threats and global trends in the cyber security world. Karolis has experience of over five years working in this branch. He attended KTU University and graduated with a degree in Software Development in 2017. Extremely passionate about technical aspects and behavior of various malicious applications. Contact Karolis Liucveikis.

PCrisk security portal is brought by a company RCS LT. Joined forces of security researchers help educate computer users about the latest online security threats. More information about the company RCS LT.

Our malware removal guides are free. However, if you want to support us you can send us a donation.

About PCrisk

PCrisk is a cyber security portal, informing Internet users about the latest digital threats. Our content is provided by security experts and professional malware researchers. Read more about us.

Malware activity

Global malware activity level today:

Medium threat activity

Increased attack rate of infections detected within the last 24 hours.

Virus and malware removal

This page provides information on how to avoid infections by malware or viruses and is useful if your system suffers from common spyware and malware attacks.

Learn about malware removal