A DarkGate malware campaign observed in mid-January 2024 has highlighted the exploitation of a recently patched security flaw in Microsoft Windows as a zero-day vulnerability, utilizing counterfeit software installers to propagate its nefarious payload.
Trend Micro reported that during this campaign, unsuspecting users were lured via PDFs containing Google DoubleClick Digital Marketing (DDM) open redirects. The redirects were leading them to compromised sites hosting the exploit, CVE-2024-21412, which facilitated the delivery of malicious Microsoft (.MSI) installers.
DarkGate Attacks Based on CVE-2024-21412
CVE-2024-21412, with a CVSS score of 8.1, enables an unauthenticated attacker to bypass SmartScreen protections by manipulating internet shortcut files, ultimately exposing victims to malware. Although Microsoft addressed this vulnerability in its February 2024 Patch Tuesday updates, threat actors like Water Hydra (also known as DarkCasino) weaponized it to distribute the DarkMe malware, particularly targeting financial institutions.
The latest findings from Trend Micro reveal the broader exploitation of this vulnerability in the DarkGate campaign, combining it with open redirects from Google Ads to enhance malware proliferation.
This sophisticated attack chain initiates with victims clicking on links embedded within PDF attachments received via phishing emails. These links trigger open redirects from Google’s doubleclick.net domain to compromised servers hosting malicious .URL internet shortcut files, exploiting CVE-2024-21412. Fake Microsoft software installers masquerading as legitimate applications like Apple iTunes, Notion, and NVIDIA are then distributed, containing a side-loaded DLL file that decrypts and infects users with DarkGate (version 6.1.7).
In addition, another now-patched bypass flaw in Windows SmartScreen (CVE-2023-36025, CVSS score: 8.8) has been utilized by threat actors in recent months to deliver DarkGate, Phemedrone Stealer, and Mispadu.
The abuse of Google Ads technologies in malvertising campaigns further amplifies the reach and impact of these attacks, tailored for specific audiences to enhance their malicious activities.
Security researchers emphasize the critical importance of remaining vigilant and caution against trusting any software installer received outside of official channels to mitigate the risk of infection.
In related incidents, fake installers for applications like Adobe Reader, Notion, and Synaptics are being distributed through dubious PDF files and legitimate-looking websites, to deploy information stealers such as LummaC2 and the XRed backdoor.
Milena Dimitrova
An inspired writer and content manager who has been with SensorsTechForum since the project started. A professional with 10+ years of experience in creating engaging content. Focused on user privacy and malware development, she strongly believes in a world where cybersecurity plays a central role. If common sense makes no sense, she will be there to take notes. Those notes may later turn into articles! Follow Milena @Milenyim
Follow Me: