A newly revealed security flaw in Microsoft Defender SmartScreen has been exploited as a zero-day vulnerability by an advanced persistent threat actor known as Water Hydra (aka DarkCasino), which targets financial market traders.
Trend Micro began tracking the campaign in late December 2023 and said it involved the exploitation of CVE-2024-21412, a security bypass vulnerability related to web quick files (.URL).
“In this attack chain, the threat actor leveraged CVE-2024-21412 to bypass Microsoft Defender SmartScreen and infect victims with DarkMe malware,” the cybersecurity firm said in Tuesday’s report.
Microsoft addressed the flaw in the February Patch Tuesday update and said an unauthenticated attacker could exploit the flaw by sending a specially crafted file to a targeted user to bypass explicit security checks.
However, a prerequisite for a successful exploit is that the threat actor convinces the victim to click on a file link to view the attacker-controlled content.
The infection process documented by Trend Micro exploits CVE-2024-21412 to delete a malicious installer file (“7z.msi”) via a click-through booby-trapped URL (“fxbulls”)[.]ru”) was distributed through Forex trading forums under the pretext of sharing a link to a stock chart image, which was, in fact, an Internet shortcut file (“photo_2023-12-29.jpg.url”).
“Login page on fxbulls[.]ru contains links to malicious WebDAV shares that contain a filtered, crafted view,” said security researchers Peter Girnus, Aliakbar Zahravi and Simon Zuckerbraun.
“When users click this link, the browser will ask them to open the link in Windows Explorer. This is not a security prompt, so users may not think the link is malicious.”
The clever trick that makes this possible is threat actors abusing the Search:Application protocol, which is used to call the desktop search application on Windows and has been abused in the past to deliver malware.
The malicious web shortcut file itself points to another web shortcut file hosted on the remote server (“2.url”), which in turn points to a CMD shell script in a ZIP file hosted on the same server (“a2.zip” /a2.cmd”).
This unusual reference stems from the fact that “calling a shortcut within another shortcut is enough to evade SmartScreen, which in turn fails to properly apply Mark of the Web (MotW), a critical Windows component that cannot be used when opening or executing Alerts users when files come from untrusted sources.”
The end goal of the campaign is to covertly spread a Visual Basic Trojan named DarkMe in the background while displaying a stock chart to the victim in order to continue the ruse once the exploit and infection chain is complete.
DarkMe has the ability to download and execute additional commands, as well as register with command and control (C2) servers and collect information from infected systems.
The development comes amid a new trend in which zero-day vulnerabilities discovered by cybercriminal groups are eventually incorporated into attack chains deployed by nation-state hacking groups to launch sophisticated attacks.
“Water Hydra has the technical knowledge and tools to discover and exploit zero-day vulnerabilities in advanced campaigns to deploy highly damaging malware such as DarkMe,” researchers said.
