March 14, 2024 at 02:23AM
DarkGate malware exploits a fixed Windows Defender SmartScreen flaw to install fake software, overcoming security checks. This flaw, tracked as CVE-2024-21412, allows attackers to execute files automatically. Trend Micro reports that DarkGate operators are using this vulnerability to enhance infection rates. The campaign involves a multi-step infection chain and employs DarkGate version 6.1.7.
Based on the meeting notes, the key takeaways are:
1. A new wave of attacks by the DarkGate malware operation exploited a now-fixed Windows Defender SmartScreen vulnerability to automatically install fake software installers.
2. The flaw tracked as CVE-2024-21412 allowed the exploit of specially crafted downloaded files to bypass security warnings.
3. Attackers exploited the flaw by creating a Windows Internet shortcut (.url file) that points to another .url file hosted on a remote server, which caused the file at the final location to be executed automatically.
4. Microsoft fixed the flaw in mid-February, and Trend Micro disclosed that the financially motivated Water Hydra hacking group and DarkGate operators exploited it for malware distribution.
5. The DarkGate operators are utilizing the flaw to improve their chances of success on targeted systems.
6. The DarkGate attack employs a multi-step infection chain and uses DarkGate version 6.1.7, featuring XOR-encrypted configuration, new config options, and updates on the command and control (C2) values.
7. To mitigate the risk from these attacks, it is essential to apply Microsoft’s February 2024 Patch Tuesday update, which fixes CVE-2024-21412.
Please let me know if you need additional information or if there are specific action items that need to be addressed based on this information.