The PolySwarm Blog

Analyze suspicious files and URLs, at scale, millions of times per day. Get real-time threat intel from a crowdsourced network of security experts and antivirus companies competing to protect you.

DarkGate

Apr 15, 2024 3:29:16 PM / by The Hivemind

DARKGATEVerticals Targeted: Financial

Executive Summary

DarkGate was observed in early 2024 in a campaign leveraging CVE-2024-21412 to target entities in the financial vertical.

Key Takeaways

  • DarkGate, also known as Meh and MehCrypter, is a commodity loader that was first seen in the wild in 2018. 
  • It is considered to be both prolific and sophisticated.
  • Earlier this year, DarkGate was observed leveraging the CVE-2024-21412 Microsoft Windows Defender SmartScreen bypass to target entities in the financial vertical. 

What is DarkGate?

DarkGate, also known as Meh and MehCrypter, is a commodity loader that was first seen in the wild in 2018. It operates on a malware-as-a-service (MaaS) model. It is considered to be both prolific and sophisticated. Earlier this year, DarkGate was observed leveraging the CVE-2024-21412 Microsoft Windows Defender SmartScreen bypass. The campaign targeted entities in the financial vertical. Trend Micro reported on this activity. 

CVE-2024-21412 is a flaw allowing a bypass that circumvents Windows Defender SmartScreen. The feature, which is intended to stop phishing attempts and malware, is integrated into Windows 10 and 11. Threat actors can use malicious Internet Shortcut files or other malicious files to exploit this vulnerability. While the flaw has been patched by Microsoft, unpatched systems are still susceptible to this attack. 

In January, Trend Micro observed DarkGate being used in a campaign exploiting CVE-2024-21412 via the use of fake software installers. The threat actors used PDFs with Google DoubleClick Digital Marketing redirects, leading victims to compromised sites. The sites hosted the CVE-2024-21412 exploit, leading to a malicious .MSI installer masquerading as a legitimate installer for one of several applications including iTunes, Notion, NVIDIA, and others. 

The .MSI file contained a ZIP file in the path exploiting CVE-2023-36025, another Microsoft Windows Defender SmartScreen bypass. The installers used a sideloaded trojanized DLL to infect victims with DarkGate.

IOCs

PolySwarm has multiple samples of DarkGate.

 

f049356bb6a8a7cd82a58cdc9e48c492992d91088dda383bd597ff156d8d2929

029aeb0be8e690137fa8ef0d58823c28e6701499f9b6d2b2b2d8d2f863fb18c7

12018c2af0600fc1f1a75842a1d4f7777001fadb65f93125e479ec9b949e1773

1de8b971a9da9dcf3c8103699b10632674272d3a23e477b1b20f795fe1bf5bae

2e34908f60502ead6ad08af1554c305b88741d09e36b2c24d85fd9bac4a11d2f

 

You can use the following CLI command to search for all DarkGate samples in our portal:

$ polyswarm link list -f DarkGate

Don’t have a PolySwarm account? Go here to sign up for a free Community plan or subscribe.

Contact us at hivemind@polyswarm.io | Check out our blog | Subscribe to our reports.

Topics: Threat Bulletin, Loader, DarkGate, CVE-2023-36025, CVE-2024-21412

The Hivemind

Written by The Hivemind

Subscribe to Email Updates

Lists by Topic

see all

Posts by Topic

See all

Recent Posts

Join the Marketplace

For Enterprises and Businesses

Learn More

For Security Experts and AV Companies

Learn More