Microsoft recently patched a vulnerability in Windows SmartScreen, but not before hackers abused it as a zero-day to drop the DarkGate malware.
A report from cybersecurity researchers Trend Micro detailed a new campaign that included phishing emails with malicious PDF files, open redirects via Google DoubleClick Digital Marketing (DDM), and Microsoft installers (.MSI) impersonating legitimate software.
As explained by the researchers, the attack is part of a wider campaign from a threat actor known as Water Hydra. In the campaign, the attackers would send out convincing phishing emails to their targets, carrying a seemingly innocuous .PDF file.
Downloading compromised programs
This file contains a link, which deploys an open redirect from Google’s doubleclick[.]net domain, and leads to a compromised web server. An open redirect is a type of vulnerability in which the destination of the redirect is provided by the client, while the legitimate website, through which the redirect is made, does not properly filter or validate the request.
This server the victims are redirected to hosts a malicious .URL shortcut file that exploits a vulnerability tracked as CVE-2024-21412.
This is a flaw in Microsoft Windows SmartScreen – a cloud-based anti-phishing and anti-malware component included in several Microsoft products. By exploiting the flaw, the attackers are able to get the victims to run a malicious .MSI file – a program installer.
Victims are led to believe that they’re installing legitimate software, such as Apple iTunes, Notion, NVIDIA, and more. However, this software comes with side-loaded DLL files that infect the users with DarkGate version 6.1.7. As described by Malpedia, DarkGate is a commodity loader capable of downloading and executing stage-two malware, a Hidden Virtual Network Computing (HVNC) module, keylogging, stealing data from the infected devices, and even escalate privileges.
The malware was first spotted in 2018, and some researchers believe it originated in Russia.