NEWS

A DarkGate malware campaign exploited a recently patched security vulnerability in Microsoft Windows, employing deceptive software installers to ensnare unsuspecting users.

Trend Micro revealed that users were lured in through PDFs containing Google DoubleClick Digital Marketing (DDM) open redirects, directing them to compromised websites hosting the Microsoft Windows SmartScreen bypass flaw (CVE-2024-21412). These sites facilitated the delivery of malicious Microsoft Installer (MSI) files disguised as legitimate software such as Apple iTunes, Notion, and NVIDIA, ultimately leading users to inadvertently download the DarkGate malware.

Notably, the exploit had previously been utilized by the Water Hydra group to target financial traders with DarkMe malware. Concurrently, counterfeit installers for Adobe Reader, Notion, and Synaptics were being distributed via fake PDF files and seemingly authentic websites to deploy information stealers like LummaC2 and the XRed backdoor, as disclosed by ASEC and eSentire. Sophos X-Ops analysts also observed QBot developers tricking users into downloading a QBot variant disguised as an installer for an Adobe product.

In light of these threats, users are strongly advised to promptly apply necessary security patches and refrain from downloading software installers from unknown sources or via links embedded in emails. Organizations are urged to familiarize themselves with Indicators of Compromise (IOCs) associated with the campaign to effectively block the threat at its inception. By remaining vigilant and proactive in implementing security measures, users and organizations can mitigate the risk posed by such malicious campaigns.