A DarkGate malware marketing campaign observed in mid-January 2024 leveraged a lately patched security flaw in Microsoft Windows as a zero-day using bogus application installers.
“Throughout this campaign, consumers had been lured employing PDFs that contained Google DoubleClick Electronic Advertising and marketing (DDM) open up redirects that led unsuspecting victims to compromised web-sites hosting the Microsoft Windows SmartScreen bypass CVE-2024-21412 that led to destructive Microsoft (.MSI) installers,” Development Micro claimed.
CVE-2024-21412 (CVSS score: 8.1) problems an internet shortcut documents security feature bypass vulnerability that permits an unauthenticated attacker to circumvent SmartScreen protections by tricking a sufferer into clicking on a specially crafted file.
Protect and backup your data using AOMEI Backupper. AOMEI Backupper takes secure and encrypted backups from your Windows, hard drives or partitions. With AOMEI Backupper you will never be worried about loosing your data anymore.
Get AOMEI Backupper with 72% discount from an authorized distrinutor of AOMEI: SerialCart® (Limited Offer).
➤ Activate Your Coupon Code
It was mounted by Microsoft as element of its Patch Tuesday updates for February 2024, but not just before it was weaponized by a threat actor termed H2o Hydra (aka DarkCasino) to provide the DarkMe malware in attacks targeting monetary institutions.
The newest conclusions from Pattern Micro show that the vulnerability has arrive less than broader exploitation than earlier thought, with the DarkGate marketing campaign leveraging it in conjunction with open up redirects from Google Adverts to proliferate the malware.
The subtle attack chain begins with victims clicking on a link embedded in just a PDF attachment sent through a phishing email. The url deploys an open up redirect from Google’s doubleclick[.]net area to a compromised web server hosting a malicious .URL internet shortcut file that exploits CVE-2024-21412.
Especially, the open redirects are made to distribute pretend Microsoft software package installers (.MSI) masquerading as authentic computer software, such as Apple iTunes, Idea, NVIDIA, which arrive equipped with a side-loaded DLL file that decrypted and contaminated buyers with DarkGate (edition 6.1.7).
It is well worth noting that another now-set bypass flaw in Windows SmartScreen (CVE-2023-36025, CVSS rating: 8.8) has been employed by threat actors to supply DarkGate, Phemedrone Stealer, and Mispadu in excess of the past couple months.
The abuse of Google Ads technologies enables threat actors to raise the achieve and scale of their attacks by way of different advertisement strategies that are personalized for specific audiences.
“Employing fake software program installers, together with open redirects, is a potent combination and can direct to many bacterial infections,” security scientists Peter Girnus, Aliakbar Zahravi, and Simon Zuckerbraun reported. “It is necessary to continue to be vigilant and to instruct people not to have faith in any program installer that they get outside of official channels.”
The progress comes as the AhnLab Security Intelligence Heart (ASEC) and eSentire uncovered that counterfeit installers for Adobe Reader, Notion and Synaptics are remaining dispersed via bogus PDF documents and seemingly authentic internet websites to deploy details stealers like LummaC2 and the XRed backdoor.
It also follows the discovery of new stealer malware families like Planet Stealer, Rage Stealer (aka xStealer), and Tweaks (aka Tweaker), adding to the plethora of cyber threats that are capable of harvesting sensitive information from compromised hosts.
“Attackers are exploiting common platforms, like YouTube and Discord, to distribute Tweaks to Roblox end users, capitalizing on the potential of genuine platforms to evade detection by web filter block lists that usually block recognized destructive servers,” Zscaler ThreatLabz explained.
“Attackers share malicious files disguised as Frames For each Second (FPS) optimization offers with end users and, in convert, buyers infect their possess units with Tweaks malware.”
The PowerShell-dependent stealer is outfitted to exfiltrate sensitive details, which includes user facts, spot, Wi-Fi profiles, passwords, Roblox IDs, and in-sport forex particulars, to an attacker-managed server via a Discord webhook.
Malvertising and social engineering strategies have also been noticed acting as an original obtain vector to disseminate a wide array of stealer and distant access trojans like Agent Tesla, CyberGate RAT, Fenix botnet, Matanbuchus, NarniaRAT, Remcos RAT, Rhadamanthys, SapphireStealer, and zgRAT.
Located this post interesting? Observe us on Twitter and LinkedIn to browse much more unique material we write-up.
Some parts of this report are sourced from:
thehackernews.com