A recently identified malware campaign, dubbed DarkGate, has raised alarms in the cybersecurity community. It exploits a now-patched security vulnerability in Microsoft Windows, known as CVE-2024-21412, which was used as a zero-day attack vector through fraudulent software installers. This incident was first observed in mid-January 2024, wherein attackers deceived users into downloading malicious installers.
According to Trend Micro’s findings, the campaign initiated with enticing PDF files embedded with open redirects linked to Google DoubleClick Digital Marketing. These links led victims to compromised websites that exploited the Windows SmartScreen bypass vulnerability. This flaw enabled attackers to circumvent security measures by convincing victims to interact with specially crafted file types.
CVE-2024-21412, which has been assigned a CVSS score of 8.1, allows unauthorized attackers to bypass SmartScreen protections simply by manipulating victims into clicking on crafted internet shortcut files. Microsoft addressed this vulnerability during its February 2024 Patch Tuesday updates, but not before it had been weaponized, particularly by the group known as Water Hydra (a.k.a. DarkCasino), for deploying the DarkMe malware against financial institutions.
Trend Micro’s research indicates that the exploitation of this vulnerability is more widespread than initially believed. The DarkGate campaign notably utilized Google Ads technologies to deploy malware through various advertising strategies aimed at specific demographics. Attackers cleverly orchestrated their approach by pairing forged Microsoft software installers, disguised as legitimate products like Apple iTunes and NVIDIA drivers, with a side-loaded dynamic link library (DLL) that ultimately delivered the DarkGate malware (version 6.1.7) to unsuspecting users.
This sophisticated attack chain begins when users click on links contained within phishing email attachments. These links engage an open redirect from Google’s doubleclick[.]net to a malicious webserver and subsequently download a harmful .URL shortcut file exploiting CVE-2024-21412. This method exemplifies the “initial access” and “persistence” tactics enumerated in the MITRE ATT&CK framework, demonstrating how attackers can gain and maintain illicit access to user systems.
In light of recent findings, it is important to note that an additional vulnerability previously addressed (CVE-2023-36025, CVSS score: 8.8) had also been exploited by threat actors to facilitate the distribution of multiple strains of malware, including DarkGate. This highlights the evolving threat landscape where vulnerabilities are rapidly exploited before patches are implemented, increasing risk for organizations.
Counterfeit software installations have been reported to proliferate not only through fake PDFs but also through various seemingly legitimate online channels. Recent investigations have uncovered that fake installers for applications like Adobe Reader and Synaptics are being disseminated alongside information-stealing malware such as LummaC2 and XRed backdoor.
Furthermore, a range of stealer malware families such as Planet Stealer and Rage Stealer have emerged, capable of harvesting sensitive information. Attackers are utilizing platforms like YouTube and Discord to propagate malicious content designed to evade conventional web filtering mechanisms—underscoring the necessity for organizations to maintain heightened vigilance against these increasingly sophisticated tactics.
Security experts emphasize that the combination of deceitful software installations and exploiting vulnerabilities poses a severe threat to both individuals and organizations alike. It is critical to educate users to remain cautious and to avoid downloading software from unverified channels. The integration of security practices, continuous monitoring, and user awareness can significantly mitigate risks associated with these ongoing threats.
The landscape of cyber threats remains dynamic, as attackers continuously refine their methods to exploit new vulnerabilities and employ advanced social engineering campaigns. Business owners must remain proactive in fortifying their defenses against such threats, acknowledging that even trusted platforms can be leveraged for malicious intent. Continuous education and timely software updates will be paramount to safeguarding organizational data in an increasingly complex cyber environment.
