Operators of the DarkGate malware exploited a now-patched Windows SmartScreen bypass flaw through a phishing campaign that distributes fake Microsoft software installers to propagate malicious code.
Trend Micro researchers, among others, discovered that a then-zero-day Internet shortcut file security feature bypassed the vulnerability tracked as CVE-2024-21412 earlier this year, which Microsoft has patched it as part of February’s Patch Tuesday update series. This is not before attackers like The Water Hydra exploited it for nefarious purposes.
Now Trend Micro researchers discovered that DarkGate also pounced on the flaw in a mid-January campaign that lured users with PDFs containing Google DoubleClick Digital Marketing (DDM) open redirects, according to a Trend Micro Zero Day Initiative (ZDI) blog post published this week. These redirects led victims to compromised sites hosting Microsoft Windows SmartScreen bypassing CVE-2024-21412, which in turn led to malicious Microsoft installers (.MSI).
“In this attack chain, DarkGate operators abused the trust placed in Google-related domains by abusing Google open redirects, paired with CVE-2024-21412, to bypass Microsoft Defender SmartScreen protections, which alert victims to the malware infection,” Trend Micro researchers Peter Girnus, Aliakbar Zahravi, and Simon Zuckerbraun explained in the post. “Using fake software installers, together with open redirects, is a powerful combination and can lead to many infections.”
DarkGate is a remote access Trojan (RAT) written in Borland Delphi that has been advertised as malware-as-a-service (MaaS) on a Russian-language cybercrime forum since at least 2018, according to Trend Micro. The researchers describe DarkGate as “one of the most prolific, sophisticated and active malware strains in the world of cybercrime.”
The malware has various capabilities, including process injection, file download and execution, information theft, shell command execution, and keylogging capabilities, among others. It also employs multiple evasion techniques.
DarkGate has been widely used not only by its operators but also various financially motivated threat actors to target organizations in North America, Europe, Asia and Africa.
Abuse of Google open redirects
The flaw exploited in the campaign is linked to a bypass of a SmartScreen previously patched vulnerability, CVE-2023-36025, which affects all supported Windows versions.
The DarkGate campaign observed by TrendMicro uses a common tactic abused by threat actors open redirects in Google DoubleClick Digital Marketing (DDM) technologies, which can lead to code execution when combined with security bypasses.
“Google uses URL redirects as part of its advertising platform and suite of other online ad serving services,” the researchers explained. DDM tracks user-submitted queries and displays relevant ads based on the query and is designed to help advertisers, publishers and ad agencies manage and optimize online advertising campaigns.
It also has a dark side as threat actors can abuse it to increase the malware’s reach through specific advertising campaigns and targeting specific audiences, researchers noted. In fact, this activity is on the rise and has also been used to spread other malware, including popular MaaS rogues like Rhadamanthys and macOS thieves like Atomic thief (AMOS), they said.
Regarding the DarkGate phishing campaign, if a user clicks on the PDF bait in the malicious email, it triggers a double-click open redirect[.]net, redirecting the user to a compromised web server that exploits CVE-2024-21412 by redirecting to another internet link file. This ultimately leads to a multi-stage execution of the DarkGate malware, which in this case is version 6.1.7 and includes some improvements over previous versions seen in circulation, researchers said.
“Major changes…include XOR encryption for configuration, the addition of new configuration values, a reorganization of configuration orders to overcome the version 5 automation configuration extractor, and updates to command command values and control (C&C),” they wrote in the mail.
Patch and defend
Windows system administrators can avoid being compromised by the DarkGate CVE-2024-21412 exploitation campaign by applying the patch provided by Microsoft to their systems. Beyond this, there are other steps organizations can take to defend their technology environments.
One is employee training and instructions, especially when it comes to installing unknown software on their machines, the researchers noted. “It is essential to remain vigilant and educate users not to trust any software installer they receive outside of official channels,” they wrote.
A broader cybersecurity defense includes continuously monitoring and identifying an environment’s broader attack surface, including known, unknown, managed, and unmanaged computing resources. This is key to prioritizing and addressing potential risks, including vulnerabilities, as well as the likelihood and impact of potential attacks, the researchers said.
It is essential to remain vigilant and educate users not to trust any software installers they receive outside of official channels. Both businesses and individuals need to take proactive measures to protect their systems from such threats.