The Zero Day Initiative (ZDI) has identified a sophisticated cyber campaign exploiting a zero-day vulnerability in Microsoft Windows, CVE-2024-21412. The exploit has been utilized in a series of attacks orchestrated by the Advanced Persistent Threat (APT) group Water Hydra, targeting users with fake software installers. Microsoft has addressed the vulnerability in its February 2024 Patch Tuesday security updates, and the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has subsequently added the flaw to its Known Exploited Vulnerabilities catalog.
The Exploit Mechanism and DarkGate Malware Deployment
The campaign leverages PDF documents containing Google DoubleClick Digital Marketing (DDM) open redirects. These redirects lead victims to compromised sites that host the exploit for CVE-2024-21412, effectively bypassing Microsoft Windows SmartScreen protections. It is worth noting that Microsoft sent out a patch for Windows SmartScreen last month. The exploit facilitates the delivery of malicious Microsoft (.MSI) installers, which are disguised as legitimate software applications, including Apple iTunes, Notion, and NVIDIA, among others. These installers contain a sideloaded DLL file that decrypts and deploys the DarkGate malware onto the victims’ systems.
DarkGate, a Remote Access Trojan (RAT) written in Borland Delphi, has been active since at least 2018. It is known for its wide array of capabilities, including process injection, file download and execution, information theft, shell command execution, and keylogging. The malware employs multiple evasion techniques to avoid detection and has been used by financially motivated threat actors in attacks across North America, Europe, Asia, and Africa. One such attack was an exploit of Microsoft Teams that was leveraging DarkGate for a phishing campaign.
Implications and Recommendations
The use of open redirects and masqueraded installers in this campaign underscores the sophistication of the tactics employed by cybercriminals. The Zero Day Initiative emphasizes the importance of vigilance and advises users against trusting software installers received from unofficial channels. The discovery of this campaign highlights the ongoing risk posed by zero-day vulnerabilities and the necessity for prompt patching and updates to mitigate potential threats.
