Cybersecurity experts have identified that hackers are exploiting a Windows Defender SmartScreen vulnerability to deploy DarkGate malware. SmartScreen is a Windows security feature that displays a warning when users attempt to run unrecognized or suspicious files downloaded from the Internet.
Windows defender is a service from Microsoft that provides real-time protection. It actively monitors a computer’s activities and scans files in real-time to detect and block any potential threats.
Looking at this concerning development for Digital Journal is Andrew Costis, Chapter Lead of the Adversary Research Team at AttackIQ.
Costis looks at the nature of this newly reported vulnerability: “A vulnerability in Windows Defender SmartScreen, recently patched by Microsoft in February, is now being exploited by DarkGate malware operators. SmartScreen is a feature that determines whether a site is malicious and warns users before attempting to run any suspicious files.”
Once in, the expert warns: “DarkGate operators are using the patched flaw to increase their success rates in infecting systems.”
In terms of the nature of the malicious software, Costis observes: “DarkGate, initially identified in 2018, has operated under a Malware-as-a-Service (MaaS) business model on cybercrime forums since June 2023. This sophisticated malware strain has been observed infecting users through malicious emails containing PDF attachments, redirecting users to compromised web servers, and bypassing email security checks.”
Malware-as-a-Service (MaaS) is a business model under which cybercriminals provide access to malicious software and related infrastructure for a fee, forming part of the wider Cybercrime-as-a-Service (CaaS) model.
There are measures that need to be taken by businesses, and major software providers, in order to counteract the problem. Costis summarises this as: “Given DarkGate’s complex infection chain and range of techniques, organizations must validate their security postures against the Tactics, Techniques, and Procedures (TTPs) associated with DarkGate.”
Costis also recommends: “As the malware resurfaces with expanded exploitation and evolving tactics, security teams must remain vigilant. In addition to applying Microsoft’s February Patch Tuesday update to this vulnerability, security teams should continuously test their defenses, leveraging insights from the MITRE ATT&CK framework, and prioritizing a proactive approach.”
