Windows SmartScreen Vulnerability Exploited in DarkGate Malware Attacks, Patch CVE-2024-21412 Now
In January 2024, a new DarkGate malware campaign was discovered, which used a Windows Defender SmartScreen zero-day vulnerability to evade security measures and deploy fake installers.
The vulnerability in question is CVE-2024-21412, which recently received a patch during Microsoft’s February 2024 Patch Tuesday.
How Do Attackers Exploit the Windows Defender SmartScreen Vulnerability, CVE-2024-21412?
SmartScreen is an important Windows Defender security feature that warns users when they try to run suspicious, potentially malicious, downloaded files.
The CVE-2024-21412 (CVSS 8.1) vulnerability is classified as a Security Feature Bypass. It enables attackers to bypass Windows Defender SmartScreen’s security warnings with specially crafted files, allowing them to covertly infiltrate their victims and carry out further malicious acts.
Attackers can take advantage of this vulnerability by creating a Windows internet shortcut (.URL) file that links to another shortcut file hosted on a remote SMB share. This action results in the automatic execution of the file located at the final destination.
Notably, CVE-2024-21412 is a patch bypass for another SmartScreen vulnerability, CVE-2023-36025 (CVSS: 8.8), which was initially patched by Microsoft during November 2023 Patch Tuesday.
Threat Actors Targeting CVE-2024-21412 and Details of DarkGate Malware
After Microsoft addressed CVE-2024-21412 in February 2024 Patch Tuesday, researchers revealed that Water Hydra (a.k.a. DarkCasino) had previously exploited it as a zero-day in attacks directed at foreign exchange traders. The exploitation of the vulnerability resulted in the deployment of the DarkMe Remote Access Trojan (RAT) on victims’ systems.
Now, DarkGate malware operators are also leveraging CVE-2024-21412 with the objective of infiltrating their targets while simultaneously disabling security warnings.
The DarkGate malware appeared in July 2023 as a successor to QakBot, shortly after PikaBot, and both were used in campaigns following QakBot’s takedown. You can find a timeline of these events, including the emergence of DarkGate, in a previous SOCRadar blog post detailing the events and operations of QakBot.
For further information on DarkGate visit our blog post: DarkGate Malware, Exploring Threats and Countermeasures
Explore the details and latest updates on the operation through our Cyber Threat Intelligence module’s Threat Actor/Malware page:
The Attack Chain of DarkGate Malware
Operators initiate the attack by sending a phishing email containing a PDF attachment with links that leverage open redirects from Google DDM services, enabling them to bypass email security checks.
If attackers are successful in persuading the victim to click the link, the victims are directed to a compromised web server hosting an internet shortcut file (.URL). This file then links to a second shortcut file hosted on an attacker-controlled WebDAV server.
Exploiting the CVE-2024-21412 vulnerability, a Windows shortcut triggers the execution of a malicious MSI file, often disguised as legitimate software like NVIDIA, Apple iTunes, or Notion. Upon installation, a DLL sideloading flaw decrypts and launches the DarkGate malware, enabling data theft, additional payload deployment, keylogging, and real-time remote access for attackers.
Additionally, researchers have identified that this campaign utilizes DarkGate 6.1.7, which incorporates XOR-encrypted configuration, updated Command and Control (C2) values, and new configuration options to enhance attacks, enabling attackers to establish persistence and evade test environments more effectively.
Harness SOCRadar’s Capabilities to Stay Proactive Against Exploitation
Stay proactive in mitigating the risk of malware attacks and vulnerability exploitation. Monitor your digital assets and stay informed about the evolving vulnerability landscape to stay one step ahead of emerging threats.
SOCRadar’s Vulnerability Intelligence offers comprehensive details on identified vulnerabilities, including the latest updates, available exploits, and vulnerability lifecycles. Moreover, the Attack Surface Management module sends timely alerts for any security issues, including the emergence of vulnerabilities across your assets, facilitating a better patch management strategy.
Indicators of Compromise (IoCs) for the DarkGate Campaign Targeting SmartScreen
An extensive list of Indicators of Compromise (IoCs) related to the DarkGate campaign exploiting the Windows Defender SmartScreen vulnerability, CVE-2024-21412, is available here.