Menu
An underground campaign called Dark Gate was discovered by the Zero Day Initiative (ZDI) in mid-January 2024 that exploited CVE-2024-21412 by using fake software installers. As part of this campaign, users were lured by PDFs that contained Google DoubleClick Digital Marketing (DDM) open redirects, causing them to navigate to compromised websites that contained the malicious Microsoft Windows SmartScreen bypass CVE-2024-21412 that led to malicious Microsoft (.MSI) installers. The fake installers contained a sideloaded DLL file that decrypted and infected users with a Dark Gate malware payload.
DarkGate, which operates on a malware-as-a-service (MaaS) model is one of the most prolific, sophisticated, and active strains of malware in the cybercrime world. Malicious software like this has been used by threat actors with financial motivations to target organizations in North America, Europe, Asia, and Africa.
Microsoft fixed the vulnerability as part of its Patch Tuesday updates for February 2024, but not before it was weaponized by a threat actor called Water Hydra (aka DarkCasino) to deliver the DarkMe malware as part of attacks targeting financial institutions.
All organizations should remain vigilant and inform their users not to trust any software installer they receive outside of official channels.
NCSC Threat Reports Feed© 2021 CyberEnsō – Nihon Cyber Defence Co., Ltd. All Rights Reserved.
