In a mid-January observation, a DarkGate malware campaign was noted capitalizing on a recently patched security loophole within Microsoft Windows. This zero-day exploit utilized deceptive software installers to trap unsuspecting users.
More in detail
Trend Micro reported that users were enticed through PDFs containing Google DoubleClick Digital Marketing (DDM) open redirects.
These redirects directed unsuspecting victims to compromised websites hosting the Microsoft Windows SmartScreen bypass flaw (CVE-2024-21412) that led to the delivery of malicious Microsoft (MSI) installers.
These fake MSI masqueraded as legitimate software, including Apple iTunes, Notion, and NVIDIA, to trick users into downloading the DarkGate malware.
It’s worth noting that the flaw was previously exploited by the Water Hydra group to target financial traders with DarkMe malware.
Fake software installers remain a potential threat
The development comes as ASEC and eSentire revealed that counterfeit installers for Adobe Reader, Notion, and Synaptics were being distributed via fake PDF files and seemingly legitimate websites to deploy information stealers like LummaC2 and the XRed backdoor.
Additionally, Sophos X-Ops analysts noted that the developers behind QBot tricked users into downloading a QBot variant masquerading as an installer for an Adobe product.
Conclusion
Users are urged to apply the required security patches to stay safe from such attacks. Moreover, they must avoid downloading installers for legitimate software from unknown sources or via links embedded in the email. Organizations must get an understanding of IOCs associated with the campaign to block the threat at the initial stage.