Tech Support
Documentation
Login
Contact Us
DarkGate Malware Campaign Exploits Patched Microsoft Flaw
Wajahat Raja
March 27, 2024 - TuxCare expert team
The Zero Day Initiative (ZDI) by Trend Micro uncovered a phishing campaign that exploited a patched Microsoft flaw to infect devices with DarkGate malware. CVE-2024-21412 was the Microsoft patch that was exploited by using fake software installers. PDFs containing Google DoubleClick Digital Marketing (DDM) open redirects were used to lure users to download the malicious Microsoft “.MSI” installers.
Open redirect URLs from Google Ad technologies were used in this phishing campaign for the distribution of face Microsoft “.MSI” installers. A DLL file present in these fake Microsoft Software Installers was used to infect devices with the DarkGate malware. An Advanced Persistent Threat (APT) actor, Water Hydra, is believed to be behind the DarkGate malware campaign.
In this article, we will do a detailed DarkGate malware analysis and see what steps were taken to mitigate DarkGate infection. Let’s begin!
The DarkGate Malware Infection Chain
The DarkGate malware campaign is one that’s carried out by threat actors in multiple steps. Learning what happens in each of these steps is essential when it comes to safeguarding against such threats. Let’s take a detailed look at each one.
Open Redirect: Google DDM
Phishing attacks with DarkGate were initiated by deploying an open redirect from the doubleclick.net domain using a PDF file. The “adurl” parameter redirected the unsuspecting victims to a compromised server. The exploitation of CVE-2024-21412 could not be started without the victim selecting the “Download” button inside the PDF.
CVE-2024-21412 Exploitation
After being redirected to a compromised web server, the victims see the first.URL file. CVE-2014-21412 is exploited when the first.URL internet shortcut file redirects to another.URL file. The “URL=” parameter is used by the internet shortcut file to direct the victim to the next stage of DarkGate malware infection. An attacker-controlled WebDAV server is the host now. The victims are then pointed to a “.MSI file” which contains a zip archive.
DarkGate Malware Installer
In this stage, a DLL file is sideloaded using a .MSI file. As for the DarkGate payload, it is decrypted and employed by an Autolt script. The DarkGate malware is disguised as legitimate softwares such as Notion, Apple iTunes, NVIDIA, and other such softwares.
The victim thinks that he or she is installing normal software on their device but, in fact, they are falling prey to the DarkGate malware campaign. A DLL sideloading technique is employed by DarkGate, through which a malicious DLL file is loaded.
Patch Fixing by Microsoft
Although Microsoft fixed this zero-day flaw in its February 2024 Patch Tuesday updates, the Windows SmartScreen vulnerability had already been exploited by the APT actors by then in order to attack financial institutions by delivering the DarkMe malware. Microsoft has asked the users to apply the fix at the earliest in order to protect themselves from the phishing campaign by Water Hydra
Conclusion
DarkGate malware campaign that exploits a patched Microsoft flaw has rung the alarm bells for cybersecurity experts. It highlights that threat actors can use the cybersecurity risks linked with Google Ads technologies to broaden the scale of their phishing campaigns. It also highlights the importance of fixing such flawed patches as soon as possible to ensure protection and recovery from cyber threats.
The sources for this piece include articles in The Hacker News and TechRadar Pro.
