DarkGate malware operators are exploiting a now-fixed Windows Defender SmartScreen vulnerability to automatically install fake software installers and drop their malware onto targeted systems. The flaw, tracked as CVE-2024-21412, allows specially crafted downloaded files to bypass security warnings. The attack involves a complex and multi-step infection chain, utilizing malicious emails, open redirects, Windows shortcuts, and MSI files masquerading as legitimate software. Trend Micro has detailed the DarkGate infection chain and published indicators of compromise (IoCs) for this campaign, urging users to apply Microsoft's February 2024 Patch Tuesday update to mitigate the risk.
DarkGate malware is being spread through instant messaging platforms like Skype and Microsoft Teams, using a Visual Basic for Applications (VBA) loader script disguised as a PDF document. When opened, the script triggers the download and execution of an AutoIt script that launches the malware. The origin of the compromised accounts used in the attacks is unclear, but it is suspected to be through leaked credentials or previous compromises. DarkGate is a commodity malware that harvests sensitive data, conducts cryptocurrency mining, and allows remote control of infected hosts. The malware has seen an increase in social engineering campaigns, leveraging tactics such as phishing emails and SEO poisoning. The attacks have been detected primarily in the Americas, followed by Asia, the Middle East, and Africa.
