14 March 2024

DarkGate malware exploits recently patched Windows SmartScreen zero-day bug


DarkGate malware exploits recently patched Windows SmartScreen zero-day bug

Trend Micro analysts have uncovered a sophisticated DarkGate malware campaign, which has been exploiting a recent Windows SmartScreen vulnerability as a zero-day to distribute malware since mid-January 2024.

Tracked as CVE-2024-21412, zero-day is a Microsoft Defender SmartScreen bypass vulnerability. The issue exists due to improper input validation when handling Internet shortcut files. A remote attacker can trick the victim into clicking on a specially crafted shortcut file and executing arbitrary code on the system. The flaw was fixed as part of Microsoft’s February 2024 Patch Tuesday updates.

Trend Micro reported back in February that CVE-2024-21412 was exploited as part of a sophisticated zero-day attack chain by a threat actor tracked as Water Hydra (aka DarkCasino) that targeted financial market traders. Now the company has released a more detailed technical write-up on the campaign.

The DarkGate campaign utilized a multi-pronged approach to target victims, with the primary method involving the exploitation of CVE-2024-21412 via fake software installers. These installers, disguised as legitimate applications such as Apple iTunes, Notion, and NVIDIA software, contained a sideloaded DLL file that decrypted and infected users with the DarkGate malware.

One of the notable aspects of this campaign is the use of PDFs containing Google DoubleClick Digital Marketing (DDM) open redirects. These redirects led users to compromised sites hosting the Microsoft Windows SmartScreen bypass exploit, ultimately leading to the download of malicious .MSI installers.

DarkGate, operating on a malware-as-a-service (MaaS) model, is a popular tool among financially motivated threat actors across the globe. The malware was used by cybercriminals to target organizations in North America, Europe, Asia, and Africa.


Back to the list

Latest Posts

Cyber Security Week in Review: November 22, 2024

Cyber Security Week in Review: November 22, 2024

In brief: 2K+ PAN devices compromised in an ongoing attack, 240 domains linked to the ONNX phishing service disrupted, and more.
22 November 2024
New Ghost Tap cash-out technique exploiting mobile payment systems

New Ghost Tap cash-out technique exploiting mobile payment systems

The attack relies on a relay mechanism that connects a stolen card to a PPOS terminal via NFC.
21 November 2024
Ngioweb botnet and NSOCKS proxy service disrupted following over a year’s investigation

Ngioweb botnet and NSOCKS proxy service disrupted following over a year’s investigation

Since late 2022, Ngioweb has been providing residential proxies to both financially motivated groups and nation-state threat actors.
21 November 2024