Zero-Day Attack: DarkGate Targets Windows CVE-2024-21412 Vulnerability

In mid-January, security researchers identified a significant campaign distributing the malicious software DarkGate, exploiting a recently patched Microsoft Windows security vulnerability in a zero-day fashion, that is, before its correction.

According to Trend Micro, the attacks commenced with the use of PDF files containing Google DoubleClick open redirects, leading victims to compromised websites. These sites utilized the vulnerability CVE-2024-21412, circumventing Windows SmartScreen protection and installing malicious installers masquerading as popular applications like iTunes, Notion, and NVIDIA, distributed in the “.msi” format.

CVE-2024-21412

CVE-2024-21412, rated at 8.1 on the CVSS scale, allows unauthenticated attackers to bypass SmartScreen protection using a specially crafted malicious file.

As previously mentioned, Microsoft addressed this vulnerability in the February Patch Tuesday update package. However, before this, it was exploited for the distribution of DarkGate and the delivery of the DarkMe malware, used by the Water Hydra group targeting financial institutions.

In the DarkGate operation, hackers leveraged CVE-2024-21412 in conjunction with redirects from Google Ads to disseminate malicious software. Victims clicking on a link from a PDF attachment received via a phishing email led to the download of the malicious file exploiting the aforementioned vulnerability.

Besides CVE-2024-21412, experts also recorded the use of another Windows SmartScreen vulnerability, CVE-2023-36025, rated 8.8 on the CVSS scale, which hackers from TA544 successfully exploited in November of the previous year.

Security researchers emphasize the importance of vigilance and the necessity of avoiding software installation from unreliable sources. This includes not only counterfeit installers but also the misuse of Google Ads technologies, allowing attackers to scale their operations.

Furthermore, there is a noted increase in the number of new malware families capable of stealing confidential information, as well as a rise in the use of popular platforms for malware distribution, often incorporating elements of social engineering.

The findings underscore the complexity of securing modern cyberspace and the need for a comprehensive approach to digital protection for both organizations and individual users.