Hackers exploit another Windows security flaw to drop DarkGate malware

As explained by the researchers, the attack is part of a wider campaign from a threat actor known as Water Hydra. In the campaign, the attackers would send out convincing phishing emails to their targets, carrying a seemingly innocuous .PDF file.

Downloading compromised programs

This file contains a link, which deploys an open redirect from Google's doubleclick[.]net domain, and leads to a compromised web server.  An open redirect is a type of vulnerability in which the destination of the redirect is provided by the client, while the legitimate website, through which the redirect is made, does not properly filter or validate the request. 

This server the victims are redirected to hosts a malicious .URL shortcut file that exploits a vulnerability tracked as CVE-2024-21412.

This is a flaw in Microsoft Windows SmartScreen - a cloud-based anti-phishing and anti-malware component included in several Microsoft products. By exploiting the flaw, the attackers are able to get the victims to run a malicious .MSI file - a program installer.

Victims are led to believe that they’re installing legitimate software, such as Apple iTunes, Notion, NVIDIA, and more. However, this software comes with side-loaded DLL files that infect the users with DarkGate version 6.1.7. As described by Malpedia, DarkGate is a commodity loader capable of downloading and executing stage-two malware, a Hidden Virtual Network Computing (HVNC) module, keylogging, stealing data from the infected devices, and even escalate privileges. 

The malware was first spotted in 2018, and some researchers believe it originated in Russia. 

More from TechRadar Pro

• A new Windows Defender zero-day is already being exploited to drop dangerous malware
• Here's a list of the best firewalls around today
• These are the best endpoint security tools right now