Skip to content Skip to footer

DarkGate Malware Campaign Exploits Windows Security Flaws | Trend Micro Analysis

In mid-January 2024, security researchers observed a malicious campaign known as DarkGate. This campaign utilized a recently patched security flaw in , known as a zero-day exploit, and used fake software installers to lure unsuspecting victims.

According to Trend Micro, the campaign began with the distribution of PDFs containing Google DoubleClick Digital Marketing (DDM) open redirects. These redirects led victims to compromised websites hosting the exploit, known as CVE-2024-21412, which allowed attackers to bypass 's SmartScreen protection.

With a CVSS score of 8.1, this vulnerability allowed attackers to trick victims into clicking on a specially crafted file, ultimately leading to the installation of the DarkMe . This , also known as DarkGate version 6.1.7, was used by a threat actor, Water Hydra or DarkCasino, to target financial institutions.

The campaign also utilized another now-fixed bypass flaw in SmartScreen, CVE-2023-36025, with a CVSS score of 8.8. Threat actors have used this vulnerability to distribute such as Phemedrone Stealer and Mispadu.

In addition to these exploits, the DarkGate campaign also utilized Google Ads to increase the reach and scale of its attacks. By using fake software installers, such as Apple iTunes, Notion, and , the attackers were able to infect a larger number of victims.

Using fake software installers and open redirects is a potent combination that can lead to widespread infections. Users should remain vigilant and only download software from official sources.

This discovery follows other recent campaigns, such as the distribution of information stealers like LummaC2 and the XRed backdoor through counterfeit installers for Adobe Reader, Notion, and Synaptics.

In conclusion, the DarkGate campaign is a prime example of how threat actors constantly evolve and find new ways to exploit vulnerabilities and distribute . Users must stay informed and cautious when downloading software from unknown sources. 

Leave a comment

Newsletter Signup
Address

The Grid —
The Matrix Has Me
Big Bear Lake, CA 92315

01010011 01111001 01110011 01110100 01100101 01101101 00100000
01000110 01100001 01101001 01101100 01110101 01110010 01100101

No buts, Clu. That's for Users. Now, you're the best Program that's ever been written. You're dogged and relentless, remember?Kevin Flynn

Deitasoft © 2024. All Rights Reserved.