A new zero-day vulnerability in Microsoft Defender SmartScreen has been exploited by an advanced persistent threat actor known as Water Hydra (aka DarkCasino) to target financial market traders.
Trend Micro, which started tracking the campaign in late December 2023, revealed that the attack leverages CVE-2024-21412, a security bypass vulnerability related to Internet Shortcut Files (.URL).
“In this attack chain, the threat actor used CVE-2024-21412 to bypass Microsoft Defender SmartScreen and infect victims with the DarkMe malware,” the cybersecurity firm explained in a report.
Microsoft patched the flaw in its February Patch Tuesday update, stating that an unauthenticated attacker could exploit it by sending the targeted user a specially crafted file to bypass displayed security checks.
Successful exploitation relies on convincing the victim to click on the file link to view the attacker-controlled content.
The infection process documented by Trend Micro involves exploiting CVE-2024-21412 to drop a malicious installer file (“7z.msi”) by clicking on a URL (“fxbulls[.]ru”) distributed via forex trading forums under the guise of sharing a link to a stock chart image that is actually an internet shortcut file (“photo_2023-12-29.jpg.url”).
“The landing page on fxbulls[.]ru contains a link to a malicious WebDAV share with a filtered crafted view,” explained security researchers Peter Girnus, Aliakbar Zahravi, and Simon Zuckerbraun.
“When users click on this link, the browser will ask them to open the link in Windows Explorer. This is not a security prompt, so the user might not think that this link is malicious.”
The attacker abuses the search: application protocol, used for calling the desktop search application on Windows, which has been exploited in the past to deliver malware.
The internet shortcut file points to another internet shortcut file hosted on a remote server (“2.url”), which, in turn, points to a CMD shell script within a ZIP archive hosted on the same server (“a2.zip/a2.cmd”).
“Calling a shortcut within another shortcut was enough to evade SmartScreen, which failed to properly apply Mark of the Web (MotW), a critical Windows component that alerts users when opening or running files from an untrusted source,” the researchers noted.
The ultimate goal of the campaign is to deliver DarkMe, a Visual Basic trojan, stealthily in the background while displaying the stock graph to the victim to maintain the illusion.
DarkMe is capable of downloading and executing additional instructions, as well as registering itself with a command-and-control (C2) server and gathering information from the compromised system.
This development reflects a trend where cybercrime groups discover zero-days that end up being used by nation-state hacking groups in sophisticated attacks.
“Water Hydra has the technical knowledge and tools to discover and exploit zero-day vulnerabilities in advanced campaigns, deploying highly destructive malware such as DarkMe,” the researchers concluded.