Microsoft recently patched a vulnerability in Windows SmartScreen, but not before hackers abused it as a zero-day to remove DarkGate malware.
A report from cybersecurity researchers Trend Micro detailed a new campaign that included phishing emails with malicious PDF files, redirects opened through Google DoubleClick Digital Marketing (DDM), and Microsoft installers (.MSI) posing as software legitimate.
As the researchers explained, the attack is part of a broader campaign by a threat actor known as Water Hydra. In the campaign, attackers sent convincing phishing emails to their targets, carrying a seemingly harmless .PDF file.
Downloading compromised programs
This file contains a link that implements an open redirect from Google double-click.[.]net and leads to a compromised web server. An open redirect is a type of vulnerability in which the destination of the redirect is provided by the client, while the legitimate website, through which the redirect is made, does not properly filter or validate the request.
This server to which victims are redirected hosts a malicious .URL shortcut file that exploits a vulnerability tracked as CVE-2024-21412.
This is a flaw in Microsoft Windows SmartScreen, a cloud-based anti-phishing and anti-malware component included in several Microsoft products. By exploiting the flaw, attackers can get victims to execute a malicious .MSI file – a program installer.
Victims are led to believe that they are installing legitimate software, such as Apple iTunes, Notion, NVIDIA, and more. However, this software comes with side-loading DLL files that infect users with DarkGate version 6.1.7. As you describe it MalpediaDarkGate is a product loader capable of downloading and executing stage two malware, a Hidden Virtual Network Computing (HVNC) module, keylogging, stealing data from infected devices, and even escalating privileges.
The malware was first detected in 2018 and some researchers believe it originated in Russia.