A new wave of attacks by the DarkGate malware operation exploits a now-fixed Windows Defender SmartScreen vulnerability to bypass security checks and automatically install fake software installers.
SmartScreen is a Windows security feature that displays a warning when users attempt to run unrecognized or suspicious files downloaded from the internet.
The flaw tracked as CVE-2024-21412 is a Windows Defender SmartScreen flaw that allows specially crafted downloaded files to bypass these security warnings.
Attackers can exploit the flaw by creating a Windows Internet shortcut that points to another.
Url file hosted on a remote SMB share, which would cause the file at the final location to be executed automatically.
Microsoft fixed the flaw in mid-February, with Trend Micro disclosing that the financially motivated Water Hydra hacking group previously exploited it as a zero-day to drop their DarkMe malware onto traders' systems.
Today, Trend Micro analysts reported that DarkGate operators are exploiting the same flaw to improve their chances of success on targeted systems.
This is a significant development for the malware, which, together with Pikabot, has filled the void created by QBot's disruption last summer and is used by multiple cybercriminals for malware distribution.
This shortcut file links to a second shortcut file hosted on an attacker-controlled WebDAV server.
Using one Windows Shortcut to open a second Shortcut on a remote server effectively exploits the CVE-2024-21412 flaw, causing a malicious MSI file to execute automatically on the device.
These MSI files masqueraded as legitimate software from NVIDIA, the Apple iTunes app, or Notion.
Once it's initialized, the malware can steal data, fetch additional payloads and inject them into running processes, perform key logging, and give attackers real-time remote access.
Trend Micro says this campaign employs DarkGate version 6.1.7, which, compared to the older version 5, features XOR-encrypted configuration, new config options, and updates on the command and control values.
The configuration parameters available in DarkGate 6 enable its operators to determine various operational tactics and evasion techniques, such as enabling startup persistence or specifying minimum disk storage and RAM size to evade analysis environments.
Trend Micro has published the complete list of the indicators of compromise for this DarkGate campaign on this webpage.
Hackers used new Windows Defender zero-day to drop DarkMe malware.
Hackers exploit Ivanti SSRF flaw to deploy new DSLog backdoor.
Raspberry Robin malware evolves with early access to Windows exploits.
Microsoft Teams phishing pushes DarkGate malware via group chats.
Windows SmartScreen flaw exploited to drop Phemedrone malware.
This Cyber News was published on www.bleepingcomputer.com. Publication date: Wed, 13 Mar 2024 21:30:03 +0000