DarkGate malware operators have been exploiting a now-patched Windows SmartScreen bypass flaw through a phishing campaign that distributes fake Microsoft software installers to propagate the malicious code. Researchers discovered a then zero-day Internet Shortcut Files security feature bypass vulnerability tracked as CVE-2024-21412 earlier this year. Microsoft patched it as part of its February 2024 edition of Patch Tuesday updates. That was not before attackers such as Water Hydra exploited it for nefarious purposes.
See: https://redskyalliance.org/xindustry/decoy-microsoft-word-documents
Recently, DarkGate actors have exploited the flaw in a mid-January 2024 campaign that lured users with PDFs containing Google DoubleClick Digital Marketing (DDM) open redirects, according to a Trend Micro Zero Day Initiative (ZDI) blog post published this week. These redirects led victims to compromised sites hosting the Microsoft Windows SmartScreen bypass CVE-2024-21412, which in turn led to malicious Microsoft (.MSI) installers.[1]
"In this attack chain, the DarkGate operators have abused the trust given to Google-related domains by abusing Google open redirects, paired with CVE-2024-21412, to bypass Microsoft Defender SmartScreen protections, which green-flags victims into malware infection," Trend Micro researchers Peter Girnus, Aliakbar Zahravi, and Simon Zuckerbraun explained in the post. "Using fake software installers and open redirects is a potent combination and can lead to many infections."
DarkGate is a remote-access Trojan (RAT) written in Borland Delphi that, according to Trend Micro, has been advertised as a malware-as-a-service (MaaS) on a Russian-language cybercrime forum since at least 2018. The researchers describe DarkGate as "one of the most prolific, sophisticated, and active strains of malware in the cybercrime world."
The malware has various features, including process injection, the download and execution file, information stealing, shell command execution, and keylogging abilities. It also employs multiple evasion techniques. DarkGate has been used widely by not only its operators but also various financially motivated threat actors to target organizations in North America, Europe, Asia, and Africa. The flaw being exploited in the campaign is tied to a bypass of a previously patched SmartScreen vulnerability, CVE-2023-36025, which affects all supported Windows versions.
The DarkGate campaign uses a common tactic abused by threat actors to use open redirects in Google DoubleClick Digital Marketing (DDM) technologies, which can lead to code execution when paired with security bypasses. "Google uses URL redirects as part of its ad platform and a suite of other online ad-serving services," the researchers explained. DDM tracks what queries the user submits and show relevant ads based on the query. It's designed to help advertisers, publishers, and ad agencies manage and optimize online advertising campaigns.
The researchers observed that it also has a ‘dark side’ in that threat actors can abuse it to increase the reach of malware through specific ad campaigns and by targeting specific audiences. In fact, this activity is on the rise and has also been used to spread other malware, including popular MaaS stealers such as Rhadamanthys and macOS stealers like Atomic Stealer (AMOS).
Regarding the DarkGate phishing campaign, if a user clicks on the PDF lure in the malicious email, it triggers an open redirect from the doubleclick[.]net domain, diverting the user to a compromised Web server that exploits CVE-2024-21412 by redirecting to another shortcut file. This eventually leads to a multistage execution of the DarkGate malware, which in this case is version 6.1.7 and includes some enhancements over previous versions seen in the wild, the researchers said. "The main changes … include XOR encryption for configuration, the addition of new config values, a rearrangement of config orders to overcome the version 5 automation config extractor, and updates to command-and-control (C&C) command values," they wrote in the post.
Administrators of Windows systems can avoid compromise by the DarkGate CVE-2024-21412 exploitation campaign by patching their systems with the fix Microsoft has provided. Aside from this, organizations can take other steps to defend their technology environments. One is employee training and instruction, especially when it comes to installing unknown software on their machines, the researchers noted. "It is essential to remain vigilant and to instruct users not to trust any software installer that they receive outside of official channels," they wrote.
Broader cybersecurity defense includes continuously monitoring and identifying an environment's broader attack surface, including known, unknown, managed, and unmanaged cyber assets. The researchers said this is key to prioritizing and addressing potential risks, including vulnerabilities, as well as the likelihood and impact of potential attacks.
It is essential to remain vigilant and instruct users not to trust any software installer they receive outside official channels. Businesses and individuals alike must take proactive steps to protect their systems from such threats.
This article is presented at no charge for educational and informational purposes only.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments, or assistance, please get in touch with the office directly at 1-844-492-7225 or feedback@redskyalliance.com
Reporting: https://www.redskyalliance.org/
Website: https://www.redskyalliance.com/
LinkedIn: https://www.linkedin.com/company/64265941
Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings
https://attendee.gotowebinar.com/register/5993554863383553632
[1] https://www.darkreading.com/endpoint-security/windows-smartscreen-bypass-flaw-exploited-to-drop-darkgate-rat
Comments