DarkGate malware operators have been exploiting a now-patched Home windows SmartScreen bypass flaw by means of a phishing marketing campaign that distributes faux Microsoft software program installers to propagate the malicious code.
Pattern Micro researchers, amongst others, found a then zero-day Web Shortcut Recordsdata safety function bypass vulnerability tracked as CVE-2024-21412 earlier this yr, which Microsoft patched as a part of its February raft of Patch Tuesday updates. That is not earlier than attackers comparable to Water Hydra exploited it for nefarious functions.
Now Pattern Micro researchers have discovered that DarkGate actors additionally pounced on the flaw in a mid-January marketing campaign that lured customers with PDFs containing Google DoubleClick Digital Advertising (DDM) open redirects, in response to a Pattern Micro Zero Day Initiative (ZDI) weblog put up revealed this week. These redirects led victims to compromised websites internet hosting the Microsoft Home windows SmartScreen bypass CVE-2024-21412, which in flip led to malicious Microsoft (.MSI) installers.
“On this assault chain, the DarkGate operators have abused the belief given to Google-related domains by abusing Google open redirects, paired with CVE-2024-21412, to bypass Microsoft Defender SmartScreen protections, which green-flags victims into malware an infection,” Pattern Micro researchers Peter Girnus, Aliakbar Zahravi, and Simon Zuckerbraun defined within the put up. “Utilizing faux software program installers, together with open redirects, is a potent mixture and might result in many infections.”
DarkGate is a remote-access Trojan (RAT) written in Borland Delphi that is been marketed as a malware-as-a-service (MaaS) on a Russian-language cybercrime discussion board since a minimum of 2018, in response to Pattern Micro. The researchers describe DarkGate as “probably the most prolific, refined, and lively strains of malware within the cybercrime world.”
The malware has numerous options, together with course of injection, the obtain and execution file, info stealing, shell command execution, and keylogging talents, amongst others. It additionally employs a number of evasion strategies.
DarkGate has been used extensively by not solely its operators but additionally numerous financially motivated risk actors to focus on organizations in North America, Europe, Asia, and Africa.
Abuse of Google Open Redirects
The flaw being exploited within the marketing campaign is tied to a bypass of a beforehand patched SmartScreen vulnerability, CVE-2023-36025, which impacts all supported Home windows variations.
The DarkGate marketing campaign noticed by TrendMicro makes use of a standard tactic abused by risk actors to make use of open redirects in Google DoubleClick Digital Advertising (DDM) applied sciences, which might result in code execution when paired with safety bypasses.
“Google makes use of URL redirects as a part of its advert platform and suite of different on-line ad-serving companies,” the researchers defined. DDM tracks what queries the consumer submits and present related adverts based mostly on the question, and it is designed to assist advertisers, publishers, and advert companies handle and optimize internet advertising campaigns.
It additionally has a darkish aspect in that risk actors can abuse it to extend the attain of malware by means of particular advert campaigns and by concentrating on particular audiences, the researchers noticed. In reality, this exercise is on the rise and likewise has been used to unfold different malware, together with standard MaaS stealers comparable to Rhadamanthys and macOS stealers like Atomic Stealer (AMOS), they stated.
Relating to the DarkGate phishing marketing campaign, if a consumer clicks on the PDF lure within the malicious e-mail, it triggers an open redirect from the doubleclick[.]internet area, diverting the consumer to a compromised Internet server that exploits CVE-2024-21412 by redirecting to a different Web shortcut file. This ultimately results in a multistage execution of the DarkGate malware, which on this case is model 6.1.7 and consists of some enhancements over earlier variations seen within the wild, the researchers stated.
“The principle adjustments … embrace XOR encryption for configuration, the addition of recent config values, a rearrangement of config orders to beat the model 5 automation config extractor, and updates to command-and-control (C&C) command values,” they wrote within the put up.
Patch and Defend
Directors of Home windows techniques can keep away from compromise by the DarkGate CVE-2024-21412 exploitation marketing campaign by patching their techniques with the repair Microsoft has offered. Except for this, there are different steps that organizations can take to defend their know-how environments.
One is worker coaching and instruction, particularly relating to putting in unknown software program on their machines, the researchers famous. “It’s important to stay vigilant and to instruct customers to not belief any software program installer that they obtain exterior of official channels,” they wrote.
Broader cybersecurity protection consists of steady monitoring and identification of an atmosphere’s broader assault floor, together with identified, unknown, managed, and unmanaged cyber property. That is key to prioritizing and addressing potential dangers, together with vulnerabilities, in addition to the probability and impression of potential assaults, the researchers stated.
It’s important to stay vigilant and to instruct customers to not belief any software program installer that they obtain exterior of official channels. Companies and people alike should take proactive steps to guard their techniques from such threats.
