March 13, 2024 at 05:26PM
The DarkGate malware exploits Windows Defender SmartScreen vulnerability, allowing attackers to automatically install fake software. Microsoft fixed the flaw in mid-February, but DarkGate operators are still using it to infect targeted systems. The attack involves malicious emails with PDF attachments, using open redirects to bypass security checks. Once executed, the malware can steal data and provide remote access. Trend Micro advises applying Microsoft’s February 2024 update to mitigate the risk.
After reviewing the meeting notes, here are the key takeaways:
– DarkGate malware operators are exploiting a now-fixed Windows Defender SmartScreen vulnerability, CVE-2024-21412, to bypass security checks and automatically install fake software installers.
– The attackers are using a multi-step infection chain that begins with a malicious email containing links that utilize open redirects from Google DoubleClick Digital Marketing services to bypass email security checks.
– The attack involves the use of Windows Internet shortcuts (.url files) to automatically execute a malicious MSI file on the victim’s device, masquerading as legitimate software from NVIDIA, Apple iTunes, or Notion.
– Once executed, the MSI installer initiates a DLL sideloading flaw to decrypt and execute the DarkGate malware payload, allowing the attackers to steal data, fetch additional payloads, perform key logging, and gain remote access.
– The campaign employs DarkGate version 6.1.7, which features XOR-encrypted configuration, new config options, and updates on the command and control (C2) values, allowing the operators to determine various operational tactics and evasion techniques.
The first step to mitigate the risk from these attacks would be to apply Microsoft’s February 2024 Patch Tuesday update, which fixes CVE-2024-21412. Additionally, Trend Micro has published a complete list of indicators of compromise (IoCs) for this DarkGate campaign on their webpage.