Microsoft recently patched a vulnerability in Windows SmartScreen, but not before hackers exploited it as a zero-day to drop the DarkGate malware.
A report from cybersecurity researchers Trend Micro describes a new campaign that includes phishing emails containing malicious PDF files, open redirects via Google DoubleClick Digital Marketing (DDM), and Microsoft installers (.MSI) that mimic legitimate software.
As the researchers explained, the attack is part of a broader campaign by a threat actor known as Water Hydra. During the campaign, the attackers sent convincing phishing emails to their targets, containing a seemingly harmless .PDF file.
Download compromised programs
This file contains a link that implements an open redirect from Google’s doubleclick(.)net domain and leads to a compromised web server. An open redirect is a type of vulnerability in which the destination of the redirect is specified by the client, but the legitimate website through which the redirect is made does not properly filter or validate the request.
This server to which victims are redirected contains a malicious .URL shortcut file that exploits a vulnerability tracked as CVE-2024-21412.
This is a flaw in Microsoft Windows SmartScreen – a cloud-based anti-phishing and anti-malware component included in several Microsoft products. By exploiting the flaw, attackers can trick victims into executing a malicious .MSI file: a program installer.
Victims are led to believe that they are installing legitimate software such as Apple iTunes, Notion, NVIDIA and more. However, this software comes with side-loaded DLL files that infect the users with DarkGate version 6.1.7. As described by MalpediaDarkGate is a commodity loader that can download and execute phase two malware, a Hidden Virtual Network Computing (HVNC) module, keylogging, stealing data from the infected devices, and even escalating privileges.
The malware was first spotted in 2018 and some researchers believe it originated in Russia.