A DarkGate malware campaign observed in mid-January 2024 exploited a recently patched security flaw in Microsoft Windows as a zero-day using bogus software installers.
“During this campaign, users were lured using PDFs that contained Google DoubleClick Digital Marketing (DDM) open redirects leading unsuspecting victims to compromised sites hosting Microsoft Windows SmartScreen bypassing CVE-2024-21412 leading to Microsoft installers ( .MSI) malicious,” TrendMicro said.
CVE-2024-21412 (CVSS Score: 8.1) affects an Internet Link File Security feature bypass vulnerability that allows an unauthenticated attacker to bypass SmartScreen protections by tricking a victim into clicking a file specifically prepared.
The issue was fixed by Microsoft as part of the February 2024 Patch Tuesday updates, but not before it was weaponized by a threat actor called Water Hydra (aka DarkCasino) to spread the DarkMe malware in attacks against financial institutions.
Trend Micro’s latest findings show that the vulnerability has been exploited more widely than previously thought, with the DarkGate campaign exploiting it alongside open Google Ads redirects to proliferate malware.
The sophisticated attack chain begins with victims clicking on a link embedded in a PDF attachment sent via a phishing email. The link deploys a redirect opened by Google’s double click[.]net to a compromised web server hosting a malicious .URL internet link file that exploits CVE-2024-21412.
Specifically, open redirects are designed to distribute fake Microsoft software installers (.MSI) disguised as legitimate software, such as Apple iTunes, Notion, NVIDIA, which come with a side-loaded DLL file that decrypts and infects users with DarkGate (version 6.1.7).
It is worth noting that another now fixed bypass flaw in Windows SmartScreen (CVE-2023-36025, CVSS score: 8.8) has been used by threat actors to deliver DarkGate, Phemedrone Stealer, and Mispadu in recent months.
Abuse of Google Ads technologies allows threat actors to increase the scale and scope of their attacks through different advertising campaigns customized for specific audiences.
“The use of fake software installers, together with open redirects, is a powerful combination and can lead to many infections,” said security researchers Peter Girnus, Aliakbar Zahravi and Simon Zuckerbraun. “It is essential to remain vigilant and educate users not to trust any software installer they receive outside of official channels.”
The development comes as AhnLab Security Intelligence Center (ASEC) and eSentire revealed that counterfeit installers for Adobe Reader, Notion and Synaptics are being distributed via fake PDF files and seemingly legitimate websites to distribute information thieves such as LummaC2 and the XRed backdoor.
It also follows the discovery of new families of stealer malware such as Planet Stealer, Rage Stealer (aka xStealer) and Tweaks (also known as Tweaker), which add to the plethora of cyber threats capable of collecting sensitive information from compromised hosts.
“Attackers are leveraging popular platforms, such as YouTube and Discord, to distribute Tweaks to Roblox users, taking advantage of legitimate platforms’ ability to evade detection by web filter lists that typically block known malicious servers,” said Zscaler ThreatLabz .
“Attackers share malicious files disguised as frames-per-second (FPS) optimization packets with users, and in turn, users infect their systems with Tweaks malware.”
The PowerShell-based thief is equipped to exfiltrate sensitive data, including user information, location, Wi-Fi profiles, passwords, Roblox IDs, and in-game currency details, to a server controlled by the attacker via a Discord webhook.
Malvertising and social engineering campaigns have also been observed to act as an initial entry vector to spread a wide range of stealer and remote access Trojans such as Agent Tesla, CyberGate RAT, Fenix botnet, Matanbuchus, NarniaRAT, Remcos RAT, Rhadamanthys , SapphireStealer and zgRAT.