![]() Abusing open redirects might lead to code execution, primarily when used with security bypasses such as CVE-2023-36025 and CVE-2024-21412. The Google DoubleClick technologies operate under the HTTP/2 protocol we can decrypt this traffic to understand the flow of redirection from the network.īesides purchasing ad space directly, one way in which threat actors can spread malicious software more efficiently is by using open redirects in URLs related to Google DDM. When selecting an ad, the user initiates a request chain that leads the user to redirect to the targeted resource set by the advertiser (Figure 3). These ad technologies track what queries the user submits and show relevant ads based on the query. These are placed by businesses and marketing teams using technologies such as Google DoubleClick. When a user uses the Google search engine to look for content, sponsored ads will be shown to the user. Threat actors can abuse Google Ads technologies to increase the reach of malware through specific ad campaigns and by targeting specific audiences. We have seen an increase in the abuse of the Google Ads ecosystem to deliver malicious software in the past, including threat actors using popular MaaS stealers such as Rhadamanthys and macOS stealers like Atomic Stealer (AMOS). At its core, Google DoubleClick provides solutions designed to help advertisers, publishers, and ad agencies manage and optimize their online advertising campaigns. Google uses URL redirects as part of its ad platform and suite of other online ad-serving services. In the following sections, we will explore the DarkGate campaign by looking at each piece of the chain, as shown in Figure 1. To gain insights into how Trend customers enjoy zero-day protection through the ZDI from attacks such as CVE-2024-21412, we provide an in-depth webinar including a Trend Vision One™ live demo. In a special edition of the Zero Day Initiative Patch Report, we provide a video demonstration of CVE-2024-21412. CVE-2024-21412 was officially patched by Microsoft in their February 13 security patch. Trend Micro customers have been protected from this zero-day since January 17. This piece of malicious software has often been used by financially motivated threat actors to target organizations in North America, Europe, Asia, and Africa. Businesses and individuals alike must take proactive steps to protect their systems from such threats.ĭarkGate, which operates on a malware-as-a-service (MaaS) model is one of the most prolific, sophisticated, and active strains of malware in the cybercrime world. It is essential to remain vigilant and to instruct users not to trust any software installer that they receive outside of official channels. Using fake software installers, along with open redirects, is a potent combination and can lead to many infections. The Zero Day Initiative (ZDI) monitored this campaign closely and observed its tactics. This campaign was part of the larger Water Hydra APT zero-day analysis. The fake installers contained a sideloaded DLL file that decrypted and infected users with a DarkGate malware payload. The phishing campaign employed open redirect URLs from Google Ad technologies to distribute fake Microsoft software installers (.MSI) masquerading as legitimate software, including Apple iTunes, Notion, NVIDIA, and others. ![]() During this campaign, users were lured using PDFs that contained Google DoubleClick Digital Marketing (DDM) open redirects that led unsuspecting victims to compromised sites hosting the Microsoft Windows SmartScreen bypass CVE-2024-21412 that led to malicious Microsoft (.MSI) installers. ![]() The Zero Day Initiative (ZDI) recently uncovered a DarkGate campaign in mid-January 2024, which exploited CVE-2024-21412 through the use of fake software installers.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |