Windows SmartScreen Bypass Flaw Exploited to Drop DarkGate RAT

DarkGate malware operators have been exploiting a now-patched Windows SmartScreen bypass flaw through a phishing campaign that distributes fake Microsoft software installers to propagate the malicious code.

Trend Micro researchers, among others, discovered a then zero-day Internet Shortcut Files security feature bypass vulnerability tracked as CVE-2024-21412 earlier this year, which Microsoft patched as part of its February raft of Patch Tuesday updates. That's not before attackers such as Water Hydra exploited it for nefarious purposes.

Now Trend Micro researchers have found that DarkGate actors also pounced on the flaw in a mid-January campaign that lured users with PDFs containing Google DoubleClick Digital Marketing (DDM) open redirects, according to a Trend Micro Zero Day Initiative (ZDI) blog post published this week. These redirects led victims to compromised sites hosting the Microsoft Windows SmartScreen bypass CVE-2024-21412, which in turn led to malicious Microsoft (.MSI) installers.

"In this attack chain, the DarkGate operators have abused the trust given to Google-related domains by abusing Google open redirects, paired with CVE-2024-21412, to bypass Microsoft Defender SmartScreen protections, which green-flags victims into malware infection," Trend Micro researchers Peter Girnus, Aliakbar Zahravi, and Simon Zuckerbraun explained in the post. "Using fake software installers, along with open redirects, is a potent combination and can lead to many infections."

DarkGate is a remote-access Trojan (RAT) written in Borland Delphi that's been advertised as a malware-as-a-service (MaaS) on a Russian-language cybercrime forum since at least 2018, according to Trend Micro. The researchers describe DarkGate as "one of the most prolific, sophisticated, and active strains of malware in the cybercrime world."

The malware has various features, including process injection, the download and execution file, information stealing, shell command execution, and keylogging abilities, among others. It also employs multiple evasion techniques.

DarkGate has been used widely by not only its operators but also various financially motivated threat actors to target organizations in North America, Europe, Asia, and Africa.

Abuse of Google Open Redirects

The flaw being exploited in the campaign is tied to a bypass of a previously patched SmartScreen vulnerability, CVE-2023-36025, which affects all supported Windows versions.

The DarkGate campaign observed by TrendMicro uses a common tactic abused by threat actors to use open redirects in Google DoubleClick Digital Marketing (DDM) technologies, which can lead to code execution when paired with security bypasses.

"Google uses URL redirects as part of its ad platform and suite of other online ad-serving services," the researchers explained. DDM tracks what queries the user submits and show relevant ads based on the query, and it's designed to help advertisers, publishers, and ad agencies manage and optimize online advertising campaigns.

It also has a dark side in that threat actors can abuse it to increase the reach of malware through specific ad campaigns and by targeting specific audiences, the researchers observed. In fact, this activity is on the rise and also has been used to spread other malware, including popular MaaS stealers such as Rhadamanthys and macOS stealers like Atomic Stealer (AMOS), they said.

Regarding the DarkGate phishing campaign, if a user clicks on the PDF lure in the malicious email, it triggers an open redirect from the doubleclick[.]net domain, diverting the user to a compromised Web server that exploits CVE-2024-21412 by redirecting to another Internet shortcut file. This eventually leads to a multistage execution of the DarkGate malware, which in this case is version 6.1.7 and includes some enhancements over previous versions seen in the wild, the researchers said.

"The main changes … include XOR encryption for configuration, the addition of new config values, a rearrangement of config orders to overcome the version 5 automation config extractor, and updates to command-and-control (C&C) command values," they wrote in the post.

Patch and Defend

Administrators of Windows systems can avoid compromise by the DarkGate CVE-2024-21412 exploitation campaign by patching their systems with the fix Microsoft has provided. Aside from this, there are other steps that organizations can take to defend their technology environments.

One is employee training and instruction, especially when it comes to installing unknown software on their machines, the researchers noted. "It is essential to remain vigilant and to instruct users not to trust any software installer that they receive outside of official channels," they wrote.

Broader cybersecurity defense includes continuous monitoring and identification of an environment's broader attack surface, including known, unknown, managed, and unmanaged cyber assets. This is key to prioritizing and addressing potential risks, including vulnerabilities, as well as the likelihood and impact of potential attacks, the researchers said.

It is essential to remain vigilant and to instruct users not to trust any software installer that they receive outside of official channels. Businesses and individuals alike must take proactive steps to protect their systems from such threats.