DarkGate Malware Campaign Exploits Recently Patched Microsoft Vulnerability in Zero-Day Attack

March 14, 2024

In mid-January 2024, a DarkGate malware campaign exploited a recently patched Microsoft Windows vulnerability using fraudulent software installers. Users were lured via PDFs containing Google DoubleClick Digital Marketing (DDM) open redirects, leading them to compromised sites hosting the Microsoft Windows SmartScreen bypass CVE-2024-21412, which resulted in malicious Microsoft (.MSI) installers. This vulnerability, CVE-2024-21412, is a security feature bypass issue that allows an unauthenticated attacker to circumvent SmartScreen protections by tricking a victim into clicking on a specially crafted file. Microsoft patched this vulnerability in its February 2024 Patch Tuesday updates. However, it was exploited by a threat actor known as Water Hydra to deliver the DarkMe malware, targeting financial institutions.

Trend Micro's latest findings indicate that the exploitation of this vulnerability is more widespread than initially thought, with the DarkGate campaign using it in conjunction with Google Ads open redirects to spread the malware. The attack chain involved victims clicking on a link within a PDF attachment sent via a phishing email. This link deployed an open redirect from Google's doubleclick[.]net domain to a compromised web server hosting a malicious .URL internet shortcut file that exploited CVE-2024-21412. The open redirects were specifically designed to distribute counterfeit Microsoft software installers (.MSI) that appeared to be legitimate software, such as Apple iTunes, Notion, NVIDIA. These installers came with a side-loaded DLL file that decrypted and infected users with DarkGate (version 6.1.7).

It's important to note that another now-fixed bypass flaw in Windows SmartScreen (CVE-2023-36025) has been used by threat actors to deliver DarkGate, Phemedrone Stealer, and Mispadu in recent months. The misuse of Google Ads technologies enables threat actors to amplify the reach and scale of their attacks through various ad campaigns, customised for specific audiences. Security researchers Peter Girnus, Aliakbar Zahravi, and Simon Zuckerbraun advise, "Using fake software installers, along with open redirects, is a potent combination and can lead to many infections. It is essential to remain vigilant and to instruct users not to trust any software installer that they receive outside of official channels."

The AhnLab Security Intelligence Center (ASEC) and eSentire have reported that fake installers for Adobe Reader, Notion and Synaptics are being distributed through bogus PDF files and seemingly legitimate websites to deploy information stealers like LummaC2 and the XRed backdoor. This follows the discovery of new stealer malware families like Planet Stealer, Rage Stealer, and Tweaks, adding to the multitude of cyber threats capable of harvesting sensitive information from compromised systems. Attackers are exploiting popular platforms, like YouTube and Discord, to distribute Tweaks to Roblox users, evading detection by web filter block lists that typically block known malicious servers. Attackers distribute malicious files disguised as Frames Per Second (FPS) optimization packages to users, who then infect their own systems with Tweaks malware. This PowerShell-based stealer exfiltrates sensitive data, including user information, location, Wi-Fi profiles, passwords, Roblox IDs, and in-game currency details, to an attacker-controlled server via a Discord webhook. Malvertising and social engineering campaigns are also being used as initial access vectors to spread a variety of stealer and remote access trojans like Agent Tesla, CyberGate RAT, Fenix botnet, Matanbuchus, NarniaRAT, Remcos RAT, Rhadamanthys, SapphireStealer, and zgRAT.

Related News

Latest News

Like what you see?

Get a digest of headlines, vulnerabilities, risk context, and more delivered to your inbox.

Subscribe Below

By submitting this form, you’re giving us permission to email you. You may unsubscribe at any time.

Accelerate Security Teams

Continuously identify and prioritize the risks that are most critical in your environment, and validate that your remediation efforts are reducing risk. An always-on single source-of-truth of your assets, services, and vulnerabilities.