A new wave of attacks by the DarkGate malware operation exploits a now-fixed Windows Defender SmartScreen vulnerability to bypass security checks and automatically install fake software installers.
SmartScreen is a Windows security feature that displays a warning when users attempt to run unrecognized or suspicious files downloaded from the internet.
The flaw tracked as CVE-2024-21412 is a Windows Defender SmartScreen flaw that allows specially crafted downloaded files to bypass these security warnings.
Attackers can exploit the flaw by creating a Windows Internet shortcut (.url file) that points to another .url file hosted on a remote SMB share, which would cause the file at the final location to be executed automatically.
Microsoft fixed the flaw in mid-February, with Trend Micro disclosing that the financially motivated Water Hydra hacking group previously exploited it as a zero-day to drop their DarkMe malware onto traders’ systems.
Today, Trend Micro analysts reported that DarkGate operators are exploiting the same flaw to improve their chances of success (infection) on targeted systems.
This is a significant development for the malware, which, together with Pikabot, has filled the void created by QBot’s disruption last summer and is used by multiple cybercriminals for malware distribution.
DarkGate attack details
The attack begins with a malicious email that includes a PDF attachment with links that utilize open redirects from Google DoubleClick Digital Marketing (DDM) services to bypass email security checks.
When a victim clicks on the link, they are redirected to a compromised web server that hosts an internet shortcut file. This shortcut file (.url) links to a second shortcut file hosted on an attacker-controlled WebDAV server.
Source: Trend Micro
Using one Windows Shortcut to open a second Shortcut on a remote server effectively exploits the CVE-2024-21412 flaw, causing a malicious MSI file to execute automatically on the device.
Source: Trend Micro
These MSI files masqueraded as legitimate software from NVIDIA, the Apple iTunes app, or Notion.
Upon execution of the MSI installer, another DLL sideloading flaw involving the “libcef.dll” file and a loader named “sqlite3.dll” will decrypt and execute the DarkGate malware payload on the system.
Once it’s initialized, the malware can steal data, fetch additional…
Click Here to Read the Full Original Article at BleepingComputer…