DarkGate Exploit Targets Full Control Of Unpatched Windows PCs So Update ASAP

darkgate exploit bypasses windows defender security
This week, researchers have reported that earlier this year, threat actors leveraged a vulnerability in Windows to deploy DarkGate malware after phishing the victim for initial access. The vulnerability tracked as CVE-2024-21412 led to users running fake Microsoft software installer (.MSI) packages that looked like iTunes, NVIDIA, and other real programs. From here, the compromised device would be linked to a command and control (C2) network where the attacker could do anything they wanted.

The infection chain begins with a victim receiving a phishing email using an open redirect, meaning clicking a link could send you elsewhere besides that link, in this case, a compromised web server. This web server hosts a .URL internet shortcut file that exploits CVE-2024-21412 by redirecting to another internet shortcut file, which itself points to an attacker-controlled WebDAV server hosting a .MSI file containing a zip archive that can exploit CVE-2023-36025, a vulnerability that allows the bypass of Windows SmartScreen.

chain darkgate exploit bypasses windows defender security

When this package is run, it runs as if it were installing something and sideloads a DLL file containing the malicious installation logic. This DLL drops a compressed file in a temporary directory, which is then decompressed using the Windows tool expand.exe. This decompressed file contains a legitimate piece of software, such as NVIDIA Share, in the example shown in the research. This legitimate is then used to sideload a trojanized version of libcef.dll, which runs automated executables and scripts to establish the DarkGate malware.

execution darkgate exploit bypasses windows defender security

Researchers from TrendMicro who reported on this explained in the deep dive of the DarkGate malware that it has existed as malware-as-a-service on Russian-language hacking forums since 2018. Its capabilities include “process injection, the download and execution file, information stealing, shell command execution, keylogging abilities,” which means it is robust.

Thankfully, the core vulnerability behind all this, CVE-2024-21412, was patched in the February 13th security update for Windows. Therefore, if you are not yet patched, you should definitely look to be soon, as threat actors are using the now-fixed vulnerabilities for their gain. Regardless, keeping up with the latest security patches is just good cybersecurity hygiene, so you should be doing that anyway.