Tuesday, January 14, 2025
Homecyber securityHackers Exploit Windows SmartScreen Vulnerability to Install DarkGate Malware

Hackers Exploit Windows SmartScreen Vulnerability to Install DarkGate Malware

Published on

The operators of DarkGate successfully leveraged a patched Windows Defender SmartScreen vulnerability, identified as CVE-2024-21412, as a zero-day attack to disseminate the complex and ever-evolving DarkGate malware.

The vulnerability tracked as CVE-2024-21412, with a CVSS base score of 8.1, is a Microsoft Defender SmartScreen vulnerability revolving around internet shortcuts.

It enables an unauthorized attacker to bypass SmartScreen security measures by deceiving a target into clicking on a specially crafted file.

In mid-January 2024, the Zero Day Initiative (ZDI) discovered a DarkGate effort that used fake software installers to exploit this vulnerability.

The phishing campaign disseminated fake Microsoft software installers (MSI) that disguised themselves as legitimate applications, such as Apple iTunes, Notion, NVIDIA, and others, by using open redirect URLs from Google Ad technology.

A sideloaded DLL file found in the fake installers decrypted and infected users with the DarkGate malware payload.

This campaign was also a part of the larger Trend Micro’s Water Hydra APT zero-day analysis targeting financial institutions. 

Trend Micro analysts revealed today that the very same Microsoft Windows SmartScreen vulnerability is being used by DarkGate operators for wider exploitation.

Notably, Microsoft officially released a security fix on February 13th, which addressed CVE-2024-21412.

The DarkGate Campaign

DarkGate is one of the most common, advanced, and active malware strains in the world of cybercrime.

It uses a malware-as-a-service (MaaS) service model. Threat actors with financial motivations have frequently targeted enterprises in North America, Europe, Asia, and Africa with this malicious malware. 

“Using fake software installers, along with open redirects, is a potent combination and can lead to many infections”, Trend Micro researchers shared with Cyber Security News.

Attack Chain
Attack Chain

Apart from investing in sponsored articles and ad space, threat actors have also been employing open redirection within Google DDM technologies. 

Abusing open redirects could result in code execution; this is especially true when combined with security bypasses like CVE-2023-36025 and CVE-2024-21412.

Open redirects abuse the confidence that most users take for granted while using major web services and technology.

Open redirect inside phishing PDF
Open redirect inside phishing PDF

The operators of DarkGate use the Google DoubleClick open redirect to redirect a victim to a compromised web server that hosts the first .URL internet shortcut file to exploit CVE-2024-21412.

“The internet shortcut file uses the “URL=” parameter to point to the next stage of the infection process; this time, it is hosted on an attacker-controlled WebDAV server.”, researchers said.

Internet shortcut file exploiting CVE-2024-21412

The infection process proceeds to the following step, which points to a .MSI file in the path that contains a zip archive (ZIP).

This sequence of internet shortcut redirection that executes a Microsoft software installer from an untrusted source should properly apply MotW, which will, in turn, stop and warn users via Microsoft Defender SmartScreen that a script is attempting to execute from an untrusted source, such as the web.

“By exploiting CVE-2024-21412, the victim’s Microsoft Defender SmartScreen is not prompted due to a failure to properly apply MotW.

Next Stage of the DarkGate Infection

fake software installers using .MSI files”, researchers said.

It is imperative to exercise caution and warn users not to trust any software installer they download from sources other than the official website.

Both individuals and businesses need to be proactive in defending their systems against these kinds of attacks.

With Perimeter81 malware protection, you can block malware, including Trojans, ransomware, spyware, rootkits, worms, and zero-day exploits. All are incredibly harmful and can wreak havoc on your network.

Stay updated on Cybersecurity news, Whitepapers, and Infographics. Follow us on LinkedIn & Twitter.

Gurubaran
Gurubaran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Latest articles

Google’s “Sign in with Google” Flaw Exposes Millions of Users’ Details

A critical flaw in Google's "Sign in with Google" authentication system has left millions...

Hackers Attacking Internet Connected Fortinet Firewalls Using Zero-Day Vulnerability

A widespread campaign targeting Fortinet FortiGate firewall devices with exposed management interfaces on the...

Critical macOS Vulnerability Lets Hackers to Bypass Apple’s System Integrity Protection

Microsoft Threat Intelligence has uncovered a critical macOS vulnerability that allowed attackers to bypass...

CISA Released A Free Guide to Enhance OT Product Security

To address rising cyber threats targeting critical infrastructure, the U.S. Cybersecurity and Infrastructure Security...

API Security Webinar

72 Hours to Audit-Ready API Security

APIs present a unique challenge in this landscape, as risk assessment and mitigation are often hindered by incomplete API inventories and insufficient documentation.

Join Vivek Gopalan, VP of Products at Indusface, in this insightful webinar as he unveils a practical framework for discovering, assessing, and addressing open API vulnerabilities within just 72 hours.

Discussion points

API Discovery: Techniques to identify and map your public APIs comprehensively.
Vulnerability Scanning: Best practices for API vulnerability analysis and penetration testing.
Clean Reporting: Steps to generate a clean, audit-ready vulnerability report within 72 hours.

More like this

Google’s “Sign in with Google” Flaw Exposes Millions of Users’ Details

A critical flaw in Google's "Sign in with Google" authentication system has left millions...

Hackers Attacking Internet Connected Fortinet Firewalls Using Zero-Day Vulnerability

A widespread campaign targeting Fortinet FortiGate firewall devices with exposed management interfaces on the...

Critical macOS Vulnerability Lets Hackers to Bypass Apple’s System Integrity Protection

Microsoft Threat Intelligence has uncovered a critical macOS vulnerability that allowed attackers to bypass...