Hackers exploit Windows Defender SmartScreen flaw to spread DarkGate malware. However, this flaw was corrected in Patch Tuesday in February 2024.
A recent series of attacks orchestrated by the company DarkGate took advantage of a vulnerability within SmartScreen, a component of Windows Defender, to bypass security mechanisms and insidiously install fraudulent programs.
This flaw, referenced as CVE-2024-21412, offers cybercriminals a unique opportunity to avoid the usual security warnings generated by Windows Defender’s SmartScreen feature. Microsoft quickly corrected this flaw in its Patch Tuesday of February 2024. Problem, hackers had acted before this monthly update from Microsoft.
Exploitation of the flaw by attackers
The Windows SmartScreen attack begins with fraudulent emails containing PDF attachments and malicious links. These links use clever redirects, taking advantage of Google DoubleClick Digital Marketing services, to bypass email inbox security filters. When an unwary recipient clicks on one of these links, they are redirected to a compromised server hosting an Internet shortcut (.url) file. This file, in turn, points to a second shortcut hosted on a WebDAV server controlled by the hackers.
This system of attacks takes advantage of the lack of vigilance of the victims, and the opportunism of the pirates, as evidenced by the arrest of this 17-year-old teenager, in a phishing case which earned him more than 700,000 euros.
This cascade of redirects allows attackers to take advantage of CVE-2024-21412, causing a malicious MSI installer file to automatically execute on the targeted device. These MSI files are often disguised as legitimate software, such as NVIDIA drivers or popular applications like iTunes or Notion. Once the deployment process begins, a series of additional vulnerabilities are exploited to execute the DarkGate malware payload.
The sophistication of DarkGate and its consequences
Trend Micro says this campaign uses DarkGate version 6.1.7 which, compared to the older version 5, features XOR encrypted configuration, new configuration options, and updates to command and control values (C2 ).
The configuration settings available in DarkGate 6 allow its operators to determine various operational tactics and evasion techniques, such as enabling startup persistence or specifying the minimum disk storage and RAM size to evade attacks. analysis environments.
The first step to take to reduce the risks associated with these attacks is to apply Microsoft’s February 2024 Patch Tuesday update, which fixes CVE-2024-21412. The opportunity also to carry out the Patch Tuesday update of March 2024, which corrects more than 40 flaws.
Trend Micro has also published the complete list of indicators of compromise (IoC) for this DarkGate campaign.
Sources: The Hacker News, TrendMicro, TrendMicro files
0