{
	"id": "f20ddaf5-070e-4169-8178-428ea45fcf41",
	"created_at": "2026-04-06T00:10:49.415885Z",
	"updated_at": "2026-04-12T02:21:43.80639Z",
	"deleted_at": null,
	"sha1_hash": "404905f1576c85583c4594c5834b45de5210172a",
	"title": "CVE-2024-21412: DarkGate Operators Exploit Microsoft Windows SmartScreen Bypass in Zero-Day Campaign",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 8595625,
	"plain_text": "CVE-2024-21412: DarkGate Operators Exploit Microsoft Windows\r\nSmartScreen Bypass in Zero-Day Campaign\r\nPublished: 2024-03-13 · Archived: 2026-04-05 15:09:15 UTC\r\nThe Zero Day Initiative (ZDI) recently uncovered a DarkGate campaign in mid-January 2024, which exploited CVE-2024-\r\n21412 through the use of fake software installers. During this campaign, users were lured using PDFs that contained Google\r\nDoubleClick Digital Marketing (DDM) open redirects that led unsuspecting victims to compromised sites hosting the\r\nMicrosoft Windows SmartScreen bypass CVE-2024-21412 that led to malicious Microsoft (.MSI) installers. The phishing\r\ncampaign employed open redirect URLs from Google Ad technologies to distribute fake Microsoft software installers\r\n(.MSI) masquerading as legitimate software, including Apple iTunes, Notion, NVIDIA, and others. The fake installers\r\ncontained a sideloaded DLL file that decrypted and infected users with a DarkGate malware payload.\r\nThis campaign was part of the larger Water Hydra APT zero-day analysis. The Zero Day Initiative (ZDI) monitored this\r\ncampaign closely and observed its tactics. Using fake software installers, along with open redirects, is a potent combination\r\nand can lead to many infections. It is essential to remain vigilant and to instruct users not to trust any software installer that\r\nthey receive outside of official channels. Businesses and individuals alike must take proactive steps to protect their systems\r\nfrom such threats.\r\n DarkGate, which operates on a malware-as-a-service (MaaS) model is one of the most prolific, sophisticated, and active\r\nstrains of malware in the cybercrime world. This piece of malicious software has often been used by financially motivated\r\nthreat actors to target organizations in North America, Europe, Asia, and Africa.\r\nTrend Micro customers have been protected from this zero-day since January 17. CVE-2024-21412 was officially patched\r\nby Microsoft in their February 13 security patch. In a special edition of the Zero Day Initiative Patch Reportopen on a new\r\ntab, we provide a video demonstration of CVE-2024-21412. To gain insights into how Trend customers enjoy zero-day\r\nprotection through the ZDI from attacks such as CVE-2024-21412, we provide an in-depth webinar including a Trend Vision\r\nOne™ live demoopen on a new tab.\r\nAnalyzing the infection chain\r\nIn the following sections, we will explore the DarkGate campaign by looking at each piece of the chain, as shown in Figure\r\n1.\r\nOpen redirect: Google DoubleClick Digital Marketing (DDM)\r\nIn recent years, threat actors have been abusing Google Ads technologies to spread malware. In addition to purchasing ad\r\nspace and sponsored posts, threat actors have also been utilizing open redirects in Google DDM technologies. Abusing open\r\nredirects could lead to code execution, primarily when used with security bypasses such as CVE-2023-36025 and CVE-2024-21412.  Open redirects abuse the inherent trust associated with major web services and technologies that most users\r\ntake for granted.\r\nTo initiate the DarkGate infection chain, the threat actors deployed an open redirect from the doubleclick[.]net domain inside\r\na PDF file served via a phishing campaign, using the “adurl” parameter that redirected the victim to a compromised web\r\nserver (Figure 2). The target of the phishing campaign must select the button inside the phishing PDF in order for\r\nexploitation of CVE-2024-21412 and DarkGate infection to occur.\r\nhttps://www.trendmicro.com/en_us/research/24/c/cve-2024-21412--darkgate-operators-exploit-microsoft-windows-sma.html\r\nPage 1 of 19\n\nFigure 2. Open redirect inside phishing PDF\r\nGoogle uses URL redirects as part of its ad platform and suite of other online ad-serving services. At its core, Google\r\nDoubleClick provides solutions designed to help advertisers, publishers, and ad agencies manage and optimize their online\r\nadvertising campaigns. We have seen an increase in the abuse of the Google Ads ecosystem to deliver malicious software in\r\nthe past, including threat actors using popular MaaS stealers such as Rhadamanthysopen on a new tab and macOS stealers\r\nlike Atomic Stealeropen on a new tab (AMOS). Threat actors can abuse Google Ads technologies to increase the reach of\r\nmalware through specific ad campaigns and by targeting specific audiences.\r\nWhen a user uses the Google search engine to look for content, sponsored ads will be shown to the user. These are placed by\r\nbusinesses and marketing teams using technologies such as Google DoubleClick. These ad technologies track what queries\r\nthe user submits and show relevant ads based on the query.\r\nWhen selecting an ad, the user initiates a request chain that leads the user to redirect to the targeted resource set by the\r\nadvertiser (Figure 3). The Google DoubleClick technologies operate under the HTTP/2 protocol; we can decrypt this traffic\r\nto understand the flow of redirection from the network. \r\nhttps://www.trendmicro.com/en_us/research/24/c/cve-2024-21412--darkgate-operators-exploit-microsoft-windows-sma.html\r\nPage 2 of 19\n\nFigure 3. Sample decrypted Google DoubleClick ad request (click to enlarge)\r\nBesides purchasing ad space directly, one way in which threat actors can spread malicious software more efficiently is by\r\nusing open redirects in URLs related to Google DDM. Abusing open redirects might lead to code execution, primarily when\r\nused with security bypasses such as CVE-2023-36025 and CVE-2024-21412. While Microsoft Windows has a feature called\r\nMark-of-the-Web (MotW) to flag content from insecure sources such as the web, DarkGate operators can bypass Windows\r\nDefender SmartScreen protections by exploiting CVE-2024-21412, which leads to DarkGate infection. In this attack chain,\r\nthe DarkGate operators have abused the trust given to Google-related domains by abusing Google open redirects, paired\r\nwith CVE-2024-21412, to bypass Microsoft Defender SmartScreen protections, which green-flags victims into malware\r\ninfection.\r\nExecution: Exploiting CVE-2024-21412 (ZDI-CAN-23100) to bypass Windows Defender SmartScreen\r\nTo exploit CVE-2024-21412, the operators behind DarkGate redirect a victim with the Google DoubleClick open redirect to\r\na compromised web server which contains the first .URL internet shortcut file.\r\nThis internet shortcut file exploits CVE-2024-21412 by redirecting to another internet shortcut file, as shown in Figure 4.\r\nThe internet shortcut file uses the “URL=” parameter to point to the next stage of the infection process; this time, it is hosted\r\non an attacker-controlled WebDAV server.\r\nFigure 4. Contents of “JANUARY-25-2024-FLD765.url”\r\nThe next stage of the infection process points to a .MSI file containing a zip archive (ZIP) in the path exploiting CVE-2023-\r\n36025, as shown in Figure 5. \r\nhttps://www.trendmicro.com/en_us/research/24/c/cve-2024-21412--darkgate-operators-exploit-microsoft-windows-sma.html\r\nPage 3 of 19\n\nFigure 5. Contents of “gamma.url”\r\nThis sequence of internet shortcut redirection that executes a Microsoft software installer from an untrusted source should\r\nproperly apply MotW that will, in turn, stop and warn users through Microsoft Defender SmartScreen that a script is\r\nattempting to execute from an untrusted source, such as the web. By exploiting CVE-2024-21412, the victim’s Microsoft\r\nDefender SmartScreen is not prompted due to a failure to properly apply MotW. This leaves the victim vulnerable to the\r\nnext stage of the DarkGate infection: fake software installers using .MSI files.\r\nExecution: Stage 1 –  DarkGate Microsoft software installers \r\nFile name SHA256 Size\r\nTest.msi 0EA0A41E404D59F1B342D46D32AC21FBF3A6E005FFFBEF178E509EAC2B55F307 7.30 MB\r\nTable 1. .MSI file sample\r\nIn the next stage of the infection chain, a .MSI file is used to sideload a DLL file, and an AutoIt script is used to decrypt and\r\ndeploy the DarkGate payload. In the particular sample shown in Table 1, the DarkGate operators wrap the DarkGate payload\r\nin a .MSI installer package masquerading as an NVIDIA installer (Figure 6). This installer is executed with the\r\nWindows msiexec.exe utility, as shown in Figure 7.  To the victim, an installer appears, and to them it seems as if a normal\r\nNVIDIA software installation is occurring.\r\nFigure 6. The fake NVIDIA .MSI installer package, “instantfeat.msi”\r\nhttps://www.trendmicro.com/en_us/research/24/c/cve-2024-21412--darkgate-operators-exploit-microsoft-windows-sma.html\r\nPage 4 of 19\n\nFigure 7. MSI execution process\r\nThe .MSI installer employs a CustomActionDLL, a DLL file that contains the logic of the installation process (Figure 8).\r\nInitially, the CustomActionDLL generates a directory within the %tmp% folder named MW-\u003cUuid\u003e, where it places a\r\nWindows Cabinet archive (CAB) named files.cab. It then utilizes the built-in Windows tool expand.exe to decompress the\r\ncontents of the CAB file. Following this, it proceeds to execute a digitally signed, legitimate binary file, NVIDIA Share.exe.\r\nFigure 8. MSI installation logic (click to enlarge)\r\nExecution: Stage 2 – DLL sideloading\r\nFile name SHA256 Size\r\nSignatur\r\nverificat\r\nNVIDIA\r\nShare.exe\r\nF1E2F82D5F21FB8169131FEDEE6704696451F9E28A8705FCA5C0DD6DAD151D64\r\n3,264\r\nKB\r\nSigned fi\r\nvalid\r\nsignature\r\nlibcef.dll 64D0FC47FD77EB300942602A912EA9403960ACD4F2ED33A8E325594BF700D65F\r\n1,514\r\nKB\r\n-\r\nhttps://www.trendmicro.com/en_us/research/24/c/cve-2024-21412--darkgate-operators-exploit-microsoft-windows-sma.html\r\nPage 5 of 19\n\nsqlite3.dll DF0495D6E1CF50B0A24BB27A53525B317DB9947B1208E95301BF72758A7FD78C\r\n1,656\r\nKB\r\n-\r\nchrome_elf.dll 37647FD7D25EFCAEA277CC0A5DF5BCF502D32312D16809D4FD2B86EEBCFE1A5B  \r\nSigned fi\r\nvalid\r\nsignature\r\nTable 2. DLL sideloading samples\r\nIn the second stage of payload execution, DarkGate employs a DLL sideloading technique, where a legitimate app loads a\r\nmalicious DLL file. In this case, the adversary uses the NVIDIA Share.exe application to load a trojanized libcef.dll library.\r\nOur investigation showed that different campaigns use a variety of legitimate apps for DLL sideloading. We have listed\r\nthese compromised files at the end of this entry.\r\nThe malicious code resides within the “GetHandleVerifier” function of the libcef.dll file, which is invoked from the DLL’s\r\nentry point. The purpose of this DLL is to decrypt the next stage of the XOR-encrypted loader, named sqlite3.dll (Figure 9).\r\nThe DarkGate stub builder creates an 8-byte master key, which is used throughout all modules and components in that build.\r\nIn this attack, the master key is “zhRVKFlX”. For each stage, the malware uses this key in different ways. Sometimes it uses\r\nthe key as a marker to tell different payloads apart in a file, or it decrypts this key with a custom XOR algorithm to make\r\nanother key for decrypting the payload.\r\nFigure 9. Decryption process of “sqlite3.dll” (click to enlarge)\r\nExecution: Stage 3 – AutoIt loader\r\nFile name SHA256 Size\r\nCompile\r\ndate\r\nDLL_Internal.exe 5C5764049A7C82E868C9E93C99F996EFDF90C7746ADE49C12AA47644650BF6CB\r\n1,657\r\nKB\r\nJan. 3,\r\n2024\r\nhttps://www.trendmicro.com/en_us/research/24/c/cve-2024-21412--darkgate-operators-exploit-microsoft-windows-sma.html\r\nPage 6 of 19\n\nTable 3. AutoIT dropper sample\r\nThe sqlite3.dll file is segmented into four distinct parts:\r\nSegment 1: Encrypted loader\r\nSegment 2: Encrypted Autoit3.exe\r\nSegment 3: Clear-text script.au3\r\nSegment 4: Clear-text test.txt\r\nThe first segment, which is 321 KB, is an AutoIt loader executable that was decrypted from an earlier step. The loader\r\nbinary starts with an \"MZRE\" header, allowing it to execute as a shellcode. This shellcode is engineered to dynamically map\r\nand load a PE file (AutoIt loader) into the system's memory. Once the PE file is mapped in memory, the shellcode executes\r\nthe Original Entry Point (OEP) of the payload executable.\r\nUpon execution, the loader reads the original sqlite3.dll file and looks for the keyword \"delimitador\" (Figure 10). It uses this\r\nkeyword as a marker to identify and separate each file contained within. Then, it extracts these files and saves them to the\r\nC:\\temp directory.\r\nFigure 10. AutoIt modules dropper (click to enlarge)\r\nExecution: Stage 4 – AutoIt script analysis\r\nFile name SHA256 Size\r\nAutoit3.exe 237D1BCA6E056DF5BB16A1216A434634109478F882D3B1D58344C801D184F95D 873 KB\r\nscript.au3 22EE095FA9456F878CFAFF8F2A4871EC550C4E9EE538975C1BBC7086CDE15EDE 469 KB\r\ntest.txt 1EA0E878E276481A6FAEAF016EC89231957B02CB55C3DD68F035B82E072E784B 76 bytes\r\nTable 4. AutoIt script samples\r\nThe script.au3 is a pre-compiled AutoIt script that contains two sections (Figure 11). The first section is a valid AutoIt\r\ncompiled script with magic bytes “AU3!EA06” (0x4155332145413036) that will be executed by the AutoIt.exe file. The\r\nsecond section is an encrypted DarkGate remote access trojan (RAT), the start and end of the encrypted payload marked\r\nwith “zhRVKFlX”.\r\nhttps://www.trendmicro.com/en_us/research/24/c/cve-2024-21412--darkgate-operators-exploit-microsoft-windows-sma.html\r\nPage 7 of 19\n\nFigure 11. Structure of “script.au3” (click to enlarge)\r\nThe script.au3 is responsible for loading and executing the stage-five DarkGate loader in memory. The snippet shown in\r\nFigure 12 is a decompiled AutoIt script. \r\nFigure 12. Decompiled AutoIt script (click to enlarge)\r\nThe test.txt file acts as an external data source. The script reads the content of test.txt (Figure 13), splits it into an array of\r\nindividual characters, and then selectively concatenates certain characters based on predefined indices to construct a\r\ncommand or expression. \r\nFigure 13. Contents of “test.txt”\r\nThe variable “$ ZZNDMOFL” holds a binary file, and at the end there is logic to load the binary into memory and pass the\r\nexecution process to the loader via \"EnumWindows\" API callback functions. The snippet shown in Figure 14 is the\r\ndeobfuscated logic:\r\nhttps://www.trendmicro.com/en_us/research/24/c/cve-2024-21412--darkgate-operators-exploit-microsoft-windows-sma.html\r\nPage 8 of 19\n\nFigure 14. Deobfuscated logic (click to enlarge)\r\nThe code proceeds to verify the presence of “CProgramDataSophos” directory on the system. It seems this directory name is\r\ndistorted due to obfuscation processes. In a previous version of the script, the existence check was aimed at the C:\\Program\r\nFiles(x86)\\Sophos folder, indicating an error in directory naming in this version.\r\nThe script creates a C-like structure in memory via “DllStructCreate,” which will be used when calling DLL functions and\r\nallocates the necessary space for the DarkGate loader payload. It then makes a system call to kernel32.dll using “DllCall”,\r\ninvoking the “VirtualProtect” function. This function is used to change the protection on a region of memory within the\r\nprocess's virtual address space. The protection is set to 0x40, which corresponds to “PAGE_EXECUTE_READWRITE”,\r\nallowing the memory region to be executed, read, and written to.\r\nThe script then populates the previously created structure with binary data converted from a string representation. This\r\nconversion is done by taking a hexadecimal string stored in the variable “$ZZNdmOFL”, converting it to binary with\r\n“BinaryToString”, and then setting this binary data into the first segment of “$PT” using “DllStructSetData”. This process\r\neffectively loads the DarkGate Delphi loader binary.\r\nLastly, the script uses API callback functions to redirect the flow of execution to the next stage payload. Callback functions\r\nare routines that are passed as a parameter to Windows API functions. The script issues a system call to user32.dll to invoke\r\n“EnumWindows”, leveraging the pointer that corresponds to the “$ZZNdmOFL” value.\r\nExecution: Stage 5 – DarkGate shellcode PE loader\r\nThe shellcode execution begins with three jumps to the binary header. From there, a call is made to a custom implementation\r\nof the PE loader (Figure 15).\r\nFigure 15. Call made to a custom implementation of the PE loader (click to enlarge)\r\nThe DarkGate loader requires a PE loader to map the binary file in memory. To solve this issue, the “$ZZNdmOFL” variable\r\ncontains a shellcode that loads and executes a PE file in memory (Figure 16).\r\nhttps://www.trendmicro.com/en_us/research/24/c/cve-2024-21412--darkgate-operators-exploit-microsoft-windows-sma.html\r\nPage 9 of 19\n\nFigure 16. DarkGate custom PE loader (click to enlarge)\r\nExecution: Stage 5.1 – DarkGate Delphi loader analysis\r\nThe primary purpose of the DarkGate loader is to extract the final payload DarkGate RAT from the AutoIt script, load it into\r\nthe memory, decrypt it, and execute it (Figure 17).\r\nWhen the loader is run, it checks the command-line argument of the AutoIt.exe process, which indicates the path to the\r\nAutoIt script. If a parameter is present, it proceeds to load the script’s content into a buffer. Then, it uses an 8-byte marker\r\n(“zhRVKFLX”) to search through the content to find the encrypted blob, which starts right after the marker.\r\nhttps://www.trendmicro.com/en_us/research/24/c/cve-2024-21412--darkgate-operators-exploit-microsoft-windows-sma.html\r\nPage 10 of 19\n\nFigure 17. Find and load encrypted DarkGate payload from AutoIt script\r\nThe payload decryption key is encrypted with XOR. The loader decrypts the key by iterating over each byte, applying an\r\nXOR operation with a value that decreases from the key’s length, as shown in Figure 18.\r\nFigure 18. Process for decrypting the payload decryption key (click to enlarge)\r\nhttps://www.trendmicro.com/en_us/research/24/c/cve-2024-21412--darkgate-operators-exploit-microsoft-windows-sma.html\r\nPage 11 of 19\n\nAfter obtaining the decryption key, “roTSOEnY”, the malware then utilizes a custom XOR decryption method to decrypt the\r\npayload (Figure 19). The decryption process begins by applying an XOR operation to each byte, pairing it with a\r\ncorresponding byte from the decrypted key. This pairing is guided by a key index that dynamically updates throughout the\r\nprocess. This key index is recalculated after each XOR operation by adding the current key byte’s value to the index and\r\ntaking the modulus with the key’s total size, ensuring the index cycles through the key in a pseudo-random manner. If the\r\nkey index ever reaches zero following an update, it is reset to the last position in the key. This process is repeated for each\r\nbyte in the payload until the entire blob has been decrypted.\r\nFigure 19. DarkGate payload decryption process (click to enlarge)\r\nOnce the loader decrypts the payload, it passes it to the function “mw_Execute_Payload” to execute the payload directly\r\nfrom memory (Figure 20). The execution process can be broken down into five steps:\r\n1. Memory allocation. The function begins by allocating memory to host the payload. It uses the “VirtualAlloc” API\r\ncall with “MEM_COMMIT” and a protection flag of 0x40 (PAGE_EXECUTE_READWRITE), allowing the\r\nallocated memory to be executed.\r\n2. Header and section mapping. It then copies the PE headers and each section of the PE file into the allocated memory.\r\nThis includes both the executable code and data sections.\r\n3. Import resolution. Next, the function resolves imports by walking through the import directory. For each imported\r\nDLL, it loads the library using “LoadLibraryA” and then resolves each required function with “GetProcAddress”.\r\nThe addresses of these functions are updated in the Import Address Table (IAT).\r\n4. Base relocation handling. The code performs base relocations to adjust memory addresses within the loaded image.\r\n5. Execution. Finally, the loader transfers execution control to the entry point (OEP) of the loaded PE file. This is\r\nimplied to be done through an assembly jump instruction “__asm { jmp eax }”, where each contains the address of\r\nthe entry point.\r\nhttps://www.trendmicro.com/en_us/research/24/c/cve-2024-21412--darkgate-operators-exploit-microsoft-windows-sma.html\r\nPage 12 of 19\n\nFigure 20. DarkGate loader execution overview\r\nFigure 21. DarkGate loader payload executing process (click to enlarge)\r\nDarkGate RAT analysis\r\nSHA-256 18d87c514ff25f817eac613c5f2ad39b21b6e04b6da6dbe8291f04549da2c290\r\nCompiler Borland Delphi\r\nOriginal name Stub\r\nFile type Win32 \r\nDarkGate version  6.1.7\r\nTable 5. Properties of the DarkGate RAT sample\r\nhttps://www.trendmicro.com/en_us/research/24/c/cve-2024-21412--darkgate-operators-exploit-microsoft-windows-sma.html\r\nPage 13 of 19\n\nDarkGate is a RAT written in Borland Delphi that has been advertised as a MaaS on a Russian-language cybercrime forum\r\nsince at least 2018. The malware has various features, including process injection, the download and execution file,\r\ninformation stealing, shell command execution, keylogging abilities, and more. It also employs multiple evasion techniques.\r\nIn this campaign, DarkGate version 6.1.7 has been deployed. The main changes in version 6 include XOR encryption for\r\nconfiguration, the addition of new config values, a rearrangement of config orders to overcome the version 5 automation\r\nconfig extractor, and updates to command-and-control (C\u0026C) command values.\r\nUpon execution, DarkGate activates anti-ntdll.dll hooking by using the Direct System Call (syscall) method, specifically\r\ndesigned for times when the malware needs to call native APIs from ntdll.dll. This technique permits DarkGate to invoke\r\nkernel-mode functions directly, bypassing the standard user-mode API layers. Utilizing syscalls, DarkGate adeptly masks its\r\ndeployment of process hollowing techniques, which are often flagged through the monitoring of API calls. This method not\r\nonly enhances the stealthiness of the malware but also complicates detection and analysis efforts by security mechanisms, as\r\nit obfuscates the malware's reliance on critical system functions for malicious activities.\r\nThe malware determines the operating system architecture by checking for the presence of the\r\nC:\\Windows\\SysWOW64\\ntdll.dll file. Depending on whether the architecture is x64 or x86, DarkGate employs a different\r\nsyscall method. For x86 architecture, syscalls are executed directly using inline assembly with the “sysenter” instruction.\r\nConversely, for x64 architecture, it utilizes the “FS:[0xC0]” pointer, which references the “wow64cpu!KiFastSystemCall” to\r\nperform the syscall (Figure 22).\r\nFigure 22. 64-bit system KiFastSystemCall function\r\nMalware often calls API functions that leave behind static artifacts, such as strings in the payload files. These artifacts can\r\nbe leveraged by defense analysts to deduce the range of functions a binary file might execute, typically through an\r\nexamination of its Import Address Table (IAT).\r\nTo evade static analysis, minimize the visibility of suspicious API calls, obscure malicious functionalities, and hinder the\r\neffectiveness of defensive analysis, the malware dynamically resolves API functions during runtime. The following is a list\r\nof API functions resolved dynamically at runtime by DarkGate:\r\nuser32.dll\r\nMessageBoxTimeoutA\r\nGetWindowTextA\r\nGetWindowTextW\r\nFindWindowExA\r\nGetForegroundWindow\r\nFindWindowA\r\nGetKeyState\r\nEnumDisplayDevicesA\r\nhttps://www.trendmicro.com/en_us/research/24/c/cve-2024-21412--darkgate-operators-exploit-microsoft-windows-sma.html\r\nPage 14 of 19\n\nGetKeyboardState\r\nGetWindow\r\nGetWindowThreadProcessId\r\nSendMessageA\r\nGetWindowTextLengthW\r\nAdvapi32.dll\r\nRegSetValueExA\r\nRegDeleteValueA\r\nRegCloseKey\r\nRegOpenKeyExA\r\nShell32.dll\r\nShellExecuteA\r\nUnlike DarkGate version 5, in which configuration is in clear text, the configuration in version 6 is XOR-encrypted. The\r\ndecryption process, as shown in Figure 23, is similar to the Delphi loader in Figure 21. The function accepts the encrypted\r\nbuffer, hard-coded key and buffer size. It then generates a new decryption key based on the given key and decrypts the\r\nconfiguration buffer. \r\nFigure 23. DarkGate version 6 configuration decryption process (click to enlarge)\r\nTable 6 outlines key configuration settings for DarkGate version 6, including parameter keys, value types, and descriptions.\r\nParameter\r\nkey\r\nValue type and value Description\r\n0/DOMAINS String: jenb128hiuedfhajduihfa[.]com C\u0026C server domain\r\nEPOCH Int: XXXXXX Payload generated time\r\n8 Bool: Yes\r\nFake Error: Display\r\n“MessageBoxTimeOut with” message\r\nfor six seconds\r\nhttps://www.trendmicro.com/en_us/research/24/c/cve-2024-21412--darkgate-operators-exploit-microsoft-windows-sma.html\r\nPage 15 of 19\n\n11 String: DarkGate\r\nFake Error: “MessageBoxTimeOut\r\nlpCaption” value\r\n12 String: R0ijS0qCVITtS0e6xeZ\r\nCustom Base64-encoded text for the\r\nfake error message, decodes to\r\n“HelloWorld!”\r\n15 80\r\nDesignates the port number used by the\r\nC\u0026C server\r\n1 Bool: Yes\r\nEnables startup persistence and malware\r\ninstallation\r\n3 Bool: Yes\r\nActivates anti-virtual machine (VM)\r\nchecks based on display devices\r\n4 Bool: Yes\r\nEnables anti-VM check for minimum\r\ndisk storage\r\n18 Int: 100\r\nSpecifies the minimum disk storage\r\nrequired to bypass the VM check in\r\noption 4\r\n6 Bool: Yes\r\nActivates anti-VM checks based on\r\ndisplay devices\r\n7 Bool: Yes\r\nEnables anti-VM check for minimum\r\nRAM size\r\n19 Int: 7000\r\nSets the minimum RAM size required\r\nfor the anti-VM check in option 7\r\n5 Bool: Yes\r\nChecks if the CPU is Xeon to detect\r\nserver environments\r\n25 String: admin888 Campaign ID\r\n26 Bool: No\r\nDetermines whether execution with\r\nprocess hollowing is enabled\r\n27 String: zhRVKFlX\r\nProvides the XOR key/marker used for\r\nDarkGate payload decryption\r\nTabla\r\nString:\r\nn]Swa6”NY=.yB3jICJzqO147gos{UaciQP(LT2[…\r\nREDACTED…]\r\ntest.txt data (External data source to\r\ndecrypt AutoIt script)\r\nTable 6. Key configuration settings for DarkGate version 6\r\nAfter completing the initial setup, the malware registers the infected system with its C\u0026C server via HTTP POST requests.\r\nThe following snippet shows the structure of a registration message:\r\n\u003cForeground Window title – utf16 – Hex encoded\u003e|\u003cIdle Time\u003e|\u003cGetTickCount \u003e|\u003cBool: IsUserAnAdmin\u003e|\u003cDarkgate\r\nVersion\u003e|||\r\nThe structure is composed of the following:\r\nhttps://www.trendmicro.com/en_us/research/24/c/cve-2024-21412--darkgate-operators-exploit-microsoft-windows-sma.html\r\nPage 16 of 19\n\n1. Title of foreground window. This is the title of the window that is currently active or in the foreground on the\r\ninfected machine. The title is encoded in UTF-16 and then converted to hexadecimal.\r\n2. Idle time in seconds. This represents the duration, in seconds, since the last user interaction (keyboard or mouse\r\ninput) with the system.\r\n3. System uptime in milliseconds. This is obtained using the “GetTickCount” Windows API function and indicates the\r\namount of time, in milliseconds, that has elapsed since the system was last started.\r\n4. Is the user an administrator. This is a Yes/No flag indicating whether the malware has administrative privileges on the\r\ninfected system.\r\n5. Version of DarkGate malware. This specifies the version of the DarkGate malware that has infected the system.\r\nTo transmit the data to the C\u0026C server, the malware executes a series of steps, detailed as follows:\r\n1. Initialization of data packet: The data designated for exfiltration is prepended with a distinct traffic identifier to\r\nfacilitate tracking. For instance, the integer “1000” is utilized for initial C\u0026C registration traffic and command\r\nretrieval.\r\n2. Unique identification hash calculation: A custom encoded MD5 hash is generated by combining the Windows\r\nProduct ID, Processor Information, and Hex-Encoded Computer Name. The malware uses this hash for various\r\noperations, and it is generated during the malware's initial execution. The components used in this calculation\r\ninclude:\r\n1. Windows Product ID: Located at the registry path, “HKLM\\SOFTWARE\\Microsoft\\Windows\r\nNT\\CurrentVersion\\ProductId”\r\n2. Processor Information: Extracted from\r\n“KLM\\HARDWARE\\DESCRIPTION\\System\\CentralProcessor\\0\\ProcessorNameString” and the total\r\nnumber of processors obtained through the “GetSystemInfo” function\r\n3. Computer Name: The computer's name, encoded in UTF-16 hex format\r\n4. Custom Encoding: The resulting MD5 digest is then encoded with a specialized alphabet:\r\n\"abcdefKhABCDEFGH\".\r\n3. Key generation: An XOR operation is applied to the MD5 hash to produce a new encryption key.\r\n4. Data encryption: The original data is encrypted using the newly generated key through an XOR cipher.\r\n5. Prepending encoded hash: The original (pre-encryption) encoded MD5 hash is prepended to the encrypted data. This\r\nhash serves as a decryption key for the DarkGate C\u0026C server, ensuring data retrieval.\r\nFigure 24. Packet decryption key and encrypted content\r\nhttps://www.trendmicro.com/en_us/research/24/c/cve-2024-21412--darkgate-operators-exploit-microsoft-windows-sma.html\r\nPage 17 of 19\n\n6. Final encoding: The data packet, which includes the encoded hash and encrypted data, is then converted into Base64\r\nformat using a custom alphabet:\r\n“zLAxuU0kQKf3sWE7ePRO2imyg9GSpVoYC6rhlX48ZHnvjJDBNFtMd1I5acwbqT+=”\r\nAn example of DarkGate version 6 C\u0026C server initial network traffic is shown in Figure 25.\r\nFigure 25. DarkGate version 6 C\u0026C initial traffic\r\nThe decrypted content is as follows:\r\n\"10004100750074006F006900740033002E0065007800650[...REDACTED...]|0|317394|No|6.1.7|||\"\r\nIf the C\u0026C server does not return the expected command, DarkGate will enter an infinite loop and continue sending traffic\r\nuntil it receives an expected command. Figure 26 is an example of a command request from an infected system and the\r\nresponse from the C\u0026C server.\r\nFigure 26. DarkGate version 6 command request\r\nThe decrypted request content is as follows:\r\n1000|87|283|Yes|6.1.7|||\"\r\nConclusion\r\nIn this research, a follow-up to our Water Hydra APT Zero Day campaign analysisopen on a new tab, we explored how the\r\nDarkGate operators were able to exploit CVE-2024-21412 as a zero-day attack to deploy the complex and evolving\r\nDarkGate malware. We also explored how security bypass vulnerabilities can be used in conjunction with open redirects in\r\ntechnologies such as the Google Ads ecosystem to proliferate malware and abuse the inherent trust that organizations have\r\nin basic web technologies.\r\nTo make software more secure and protect customers from zero-day attacks, the Trend Zero Day Initiativeopen on a new tab\r\nworks with security researchers and vendors to patch and responsibly disclose software vulnerabilities before APT groups\r\nhttps://www.trendmicro.com/en_us/research/24/c/cve-2024-21412--darkgate-operators-exploit-microsoft-windows-sma.html\r\nPage 18 of 19\n\ncan deploy them in attacks. The ZDI Threat Hunting team also proactively hunts for zero-day attacks in the wild to\r\nsafeguard the industry.\r\nOrganizations can protect themselves from these kinds of attacks with Trend Vision Oneopen on a new tab, which enables\r\nsecurity teams to continuously identify attack surfaces, including known, unknown, managed, and unmanaged cyber assets.\r\nVision One helps organizations prioritize and address potential risks, including vulnerabilities. It considers critical factors\r\nsuch as the likelihood and impact of potential attacks and offers a range of prevention, detection, and response capabilities.\r\nThis is all backed by advanced threat research, intelligence, and AI, which helps reduce the time taken to detect, respond,\r\nand remediate issues. Ultimately, Trend Vision One can help improve the overall security posture and effectiveness of an\r\norganization, including against zero-day attacks.\r\nWhen faced with uncertain intrusions, behaviors, and routines, organizations should assume that their system is already\r\ncompromised or breached and work to immediately isolate affected data or toolchains. With a broader perspective and rapid\r\nresponse, organizations can address breaches and protect their remaining systems, especially with technologies such as\r\nTrend Micro™ Endpoint Securityopen on a new tab™ and Trend Micro Network Security, as well as comprehensive\r\nsecurity solutions such as Trend Micro™ Security Operationsopen on a new tab, which can detect, scan, and block malicious\r\ncontent across the modern threat landscape.\r\nTrend Protections\r\nThe following protections exist to detect and protect Trend customers against the zero-day CVE-2024-21412open on a new\r\ntab (ZDI-CAN-23100).\r\nTrend Vision One Model\r\nPotential Exploitation of Microsoft SmartScreen Detected (ZDI-CAN-23100)\r\nExploitation of Microsoft SmartScreen Detected (CVE-2024-21412)\r\nSuspicious Activities Over WebDav\r\nTrend Micro Cloud One - Network Security \u0026 TippingPoint Filters\r\n43700 - HTTP: Microsoft Windows Internet Shortcut SmartScreen Bypass Vulnerability\r\n43701 - ZDI-CAN-23100: Zero Day Initiative Vulnerability (Microsoft Windows SmartScreen)\r\nTrend Vision One Network Sensor and Trend Micro Deep Discovery Inspector (DDI) Rule\r\n4983 - CVE-2024-21412: Microsoft Windows SmartScreen Exploit - HTTP(Response)\r\nTrend Vision One Endpoint Security, Trend Cloud One - Workload and Endpoint Security, Deep Security and\r\nVulnerability Protection IPS Rules\r\n1011949 - Microsoft Windows Internet Shortcut SmartScreen Bypass Vulnerability (CVE-2024-21412)\r\n1011950 - Microsoft Windows Internet Shortcut SmartScreen Bypass Vulnerability Over SMB (CVE-2024-21412)\r\n1011119 - Disallow Download Of Restricted File Formats (ATT\u0026CK T1105)\r\n1004294 - Identified Microsoft Windows Shortcut File Over WebDav\r\n1005269 - Identified Download Of DLL File Over WebDav (ATT\u0026CK T1574.002)\r\n1006014 - Identified Microsoft BAT And CMD Files Over WebDav\r\nIndicators of Compromise (IOCs)\r\nDownload the IOC list hereopen on a new tab.\r\nSource: https://www.trendmicro.com/en_us/research/24/c/cve-2024-21412--darkgate-operators-exploit-microsoft-windows-sma.html\r\nhttps://www.trendmicro.com/en_us/research/24/c/cve-2024-21412--darkgate-operators-exploit-microsoft-windows-sma.html\r\nPage 19 of 19",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.trendmicro.com/en_us/research/24/c/cve-2024-21412--darkgate-operators-exploit-microsoft-windows-sma.html"
	],
	"report_names": [
		"cve-2024-21412--darkgate-operators-exploit-microsoft-windows-sma.html"
	],
	"threat_actors": [
		{
			"id": "d90307b6-14a9-4d0b-9156-89e453d6eb13",
			"created_at": "2022-10-25T16:07:23.773944Z",
			"updated_at": "2026-04-12T02:00:04.694169Z",
			"deleted_at": null,
			"main_name": "Lead",
			"aliases": [
				"Casper",
				"TG-3279"
			],
			"source_name": "ETDA:Lead",
			"tools": [
				"Agentemis",
				"BleDoor",
				"Cobalt Strike",
				"CobaltStrike",
				"RbDoor",
				"RibDoor",
				"Winnti",
				"cobeacon"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "a5bd315b-6220-441f-8ed1-39e194dcd0e3",
			"created_at": "2023-12-01T02:02:33.667762Z",
			"updated_at": "2026-04-12T02:00:04.54266Z",
			"deleted_at": null,
			"main_name": "DarkCasino",
			"aliases": [
				"Water Hydra"
			],
			"source_name": "ETDA:DarkCasino",
			"tools": [
				"CloudEyE",
				"DarkMe",
				"GuLoader",
				"PikoloRAT",
				"vbdropper"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434249,
	"ts_updated_at": 1775960503,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/404905f1576c85583c4594c5834b45de5210172a.pdf",
		"text": "https://archive.orkl.eu/404905f1576c85583c4594c5834b45de5210172a.txt",
		"img": "https://archive.orkl.eu/404905f1576c85583c4594c5834b45de5210172a.jpg"
	}
}