CVE-2024-21412: DarkGate Operators Exploit Microsoft Windows SmartScreen Bypass in Zero-Day Campaign

Trend Micro’s ZDI observed a DarkGate campaign in January 2024 that exploited CVE-2024-21412 to bypass Windows Defender SmartScreen and deliver DarkGate via malicious .MSI installers. The attack chain used Google DoubleClick open-redirects in phishing PDFs, .URL shortcut redirections to WebDAV-hosted payloads, and multi-stage DLL sideloading and AutoIt loaders to execute the DarkGate RAT. #DarkGate #CVE-2024-21412

Keypoints

Attackers used phishing PDFs with Google DoubleClick (DDM) open-redirects to lead victims to compromised hosts.
CVE-2024-21412 was exploited in .URL internet shortcut redirection to prevent Mark-of-the-Web (MotW) and bypass Windows Defender SmartScreen.
The redirected .URL chain led to a malicious .MSI installer (executed via msiexec) that unpacked a CAB and invoked a signed binary to sideload a trojanized DLL.
DLL sideloading loaded a trojan libcef.dll which decrypted and extracted sqlite3.dll; sqlite3.dll contained an AutoIt loader, AutoIt executable, script.au3, and auxiliary data.
The AutoIt script loaded an XOR-encrypted DarkGate payload (marker/key “zhRVKFlX”), decrypted it with a derived key, and executed it in-memory via a custom PE loader.
Deployed DarkGate v6.1.7 is a Delphi RAT using dynamic API resolution, syscall anti-hooking, and process hollowing techniques to evade detection.

MITRE Techniques

[T1566] Phishing – PDFs with embedded Google DoubleClick open-redirects were used to lure victims. (‘The target of the phishing campaign must select the button inside the phishing PDF in order for exploitation of CVE-2024-21412 and DarkGate infection to occur.’)
[T1204.002] User Execution: Malicious File – Victims execute fraudulent .MSI installers masquerading as legitimate software. (‘fake Microsoft software installers (.MSI) masquerading as legitimate software, including Apple iTunes, Notion, NVIDIA, and others.’)
[T1105] Ingress Tool Transfer – Attackers hosted and delivered installers and auxiliary files over WebDAV and HTTP. (‘it is hosted on an attacker-controlled WebDAV server’ and references to downloading .MSI files)
[T1574.002] DLL Side-Loading – A legitimate signed binary (NVIDIA Share.exe) was used to load a trojanized libcef.dll which initiated further decryption and payload stages. (‘DLL sideloading technique, where a legitimate app loads a malicious DLL file.’)
[T1055.012] Process Hollowing – DarkGate employs process hollowing as an evasion method, masked by syscall-based anti-hooking. (‘masks its deployment of process hollowing techniques, which are often flagged through the monitoring of API calls.’)

Indicators of Compromise

[SHA256 hashes] Installer and payload hashes – Test.msi: 0EA0A41E404D59F1B342D46D32AC21FBF3A6E005FFFBEF178E509EAC2B55F307, DarkGate RAT: 18d87c514ff25f817eac613c5f2ad39b21b6e04b6da6dbe8291f04549da2c290, and other hashes listed in the IOC file.
[File names] Installer and binaries – instantfeat.msi (fake NVIDIA installer), NVIDIA Share.exe (signed binary used for sideloading), libcef.dll (trojanized), sqlite3.dll (encrypted payload container).
[Domains] Command-and-control and redirect domains – jenb128hiuedfhajduihfa[.]com (C2 domain in config), doubleclick[.]net (Google DDM open-redirect used in phishing PDFs).
[Shortcut files / URLs] Internet shortcut samples – JANUARY-25-2024-FLD765.url, gamma.url (used to chain redirections exploiting CVE-2024-21412 and to point to the .MSI/WebDAV resources).

Attack flow (technical summary): threat actors embedded Google DoubleClick open-redirect links inside phishing PDFs; when victims clicked the PDF button, the redirect led to an attacker-controlled webserver hosting a .URL internet shortcut that exploited CVE-2024-21412 to bypass Mark-of-the-Web and SmartScreen. That shortcut redirected to another .URL on an attacker WebDAV host which referenced an .MSI package. The .MSI (executed by msiexec) extracted a CAB into %TEMP% and launched a legitimate signed executable (NVIDIA Share.exe) that performed DLL sideloading, loading a trojanized libcef.dll.

The trojanized libcef.dll decrypted and extracted sqlite3.dll, which contained four segments: an encrypted AutoIt loader, an encrypted AutoIt runtime (AutoIt3.exe), a compiled AutoIt script (script.au3), and test.txt data. The AutoIt loader reconstructed files, wrote them to disk, and executed the AutoIt runtime to run script.au3; the script located the DarkGate encrypted blob using the marker ‘zhRVKFlX’, derived/decrypted the payload key, then performed a custom XOR decryption (final key example: ‘roTSOEnY’).

Finally, the decrypted DarkGate payload was mapped and executed in memory by a custom PE loader (VirtualAlloc, import resolution, base relocations, jump to OEP). DarkGate v6.1.7 is a Delphi-based RAT that uses dynamic API resolution, XOR-encrypted configuration, syscall-based anti-ntdll hooking, and process hollowing to evade detection and maintain C2 communications with encoded/encrypted HTTP POST traffic.