A recently disclosed security flaw in Microsoft Defender SmartScreen has been exploited as a zero-day by an advanced persistent threat actor called Water Hydra (aka DarkCasino) targeting financial market traders.
Trend Micro, which began tracking the campaign in late December 2023, said it involves the exploitation of CVE-2024-21412, a security bypass vulnerability related to Internet Link Files (.URL).
“In this attack chain, the threat actor exploited CVE-2024-21412 to bypass Microsoft Defender SmartScreen and infect victims with DarkMe malware,” the cybersecurity firm said in a report on Tuesday.
Microsoft, which addressed the flaw in its Patch Tuesday update in February, said that an unauthenticated attacker could exploit the flaw by sending the targeted user a specially crafted file to bypass the displayed security controls.
However, successful exploitation relies on the prerequisite that the threat actor convinces the victim to click on the file link to view the content controlled by the attacker.
The infection procedure documented by Trend Micro exploits CVE-2024-21412 to deliver a malicious installation file (“7z.msi”) by clicking on a booby-trapped URL (“fxbulls[.]ru”) distributed via forex trading forums under the guise of sharing a link to a stock chart image that, in reality, is an Internet link file (“photo_2023-12-29.jpg.url”).
“The landing page on fxbulls[.]ru contains a link to a malicious WebDAV share with a filtered view,” said security researchers Peter Girnus, Aliakbar Zahravi and Simon Zuckerbraun.
“When users click this link, the browser will ask them to open the link in Windows Explorer. This is not a security request, so the user may not think this link is malicious.”
The clever trick that makes this possible is the threat actor’s abuse of the search:application protocol, which is used to invoke the desktop search application on Windows and has been abused in the past to spread malware.
The rogue Internet shortcut file, for its part, points to another Internet shortcut file hosted on a remote server (“2.url”), which, in turn, points to a CMD shell script within a ZIP archive hosted on the same server (“a2.zip/a2.cmd”).
This unusual reference stems from the fact that “calling a link within another link was enough to evade SmartScreen, which failed to properly apply Mark of the Web (MotW), a critical component of Windows that alerts users when they open or execute files from an untrusted source.”
The ultimate goal of the campaign is to stealthily deliver a Visual Basic trojan known as DarkMe in the background while displaying the stock chart to the victim to maintain the ruse once the chain of exploitation and infection is complete.
DarkMe comes with functionality to download and execute additional instructions, as well as register with a command and control (C2) server and collect information from the compromised system.
The development is part of a new trend in which zero-days detected by cybercrime groups end up being incorporated into attack chains deployed by domestic hacking groups to launch sophisticated attacks.
“Water Hydra possesses the technical knowledge and tools to discover and exploit zero-day vulnerabilities in advanced campaigns, distributing highly destructive malware such as DarkMe,” the researchers said.