A newly disclosed safety flaw within the Microsoft Defender SmartScreen has been exploited as a zero-day by a complicated persistent menace actor referred to as Water Hydra (aka DarkCasino) concentrating on monetary market merchants.
Pattern Micro, which started monitoring the marketing campaign in late December 2023, mentioned it entails the exploitation of CVE-2024-21412, a safety bypass vulnerability associated to Web Shortcut Information (.URL).
“On this assault chain, the menace actor leveraged CVE-2024-21412 to bypass Microsoft Defender SmartScreen and infect victims with the DarkMe malware,” the cybersecurity agency mentioned in a Tuesday report.
Microsoft, which addressed the flaw in its February Patch Tuesday replace, mentioned an unauthenticated attacker might exploit the flaw by sending the focused consumer a specifically crafted file in an effort to bypass displayed safety checks.
Nevertheless, profitable exploitation banks on the prerequisite that the menace actor convinces the sufferer to click on on the file hyperlink to view the attacker-controlled content material.
The an infection process documented by Pattern Micro exploits CVE-2024-21412 to drop a malicious installer file (“7z.msi”) by clicking on a booby-trapped URL (“fxbulls[.]ru”) distributed through foreign currency trading boards beneath the pretext of sharing a hyperlink to a inventory chart picture that, in actuality, is an web shortcut file (“photo_2023-12-29.jpg.url”).
“The touchdown web page on fxbulls[.]ru accommodates a hyperlink to a malicious WebDAV share with a filtered crafted view,” safety researchers Peter Girnus, Aliakbar Zahravi, and Simon Zuckerbraun mentioned.
“When customers click on on this hyperlink, the browser will ask them to open the hyperlink in Home windows Explorer. This isn’t a safety immediate, so the consumer may not suppose that this hyperlink is malicious.”
The intelligent trick that makes this potential is the menace actor’s abuse of the search: utility protocol, which is used for calling the desktop search utility on Home windows and has been abused previously to ship malware.
The rogue web shortcut file, for its half, factors to a different web shortcut file hosted on a distant server (“2.url”), which, in flip, factors to a CMD shell script inside a ZIP archive hosted on the identical server (“a2.zip/a2.cmd”).
This uncommon referencing stems from the truth that “calling a shortcut inside one other shortcut was adequate to evade SmartScreen, which didn’t correctly apply Mark of the Net (MotW), a crucial Home windows element that alerts customers when opening or operating information from an untrusted supply.”
The top objective of the marketing campaign is to ship a Visible Primary trojan generally known as DarkMe stealthily within the background whereas displaying the inventory graph to the sufferer to maintain up the ruse upon completion of the exploitation and an infection chain.
DarkMe comes with capabilities to obtain and execute further directions, alongside registering itself with a command-and-control (C2) server and gathering data from the compromised system.
The event comes amid a brand new development the place zero-days discovered by cybercrime teams find yourself getting included into assault chains deployed by nation-state hacking teams to launch refined assaults.
“Water Hydra possess the technical data and instruments to find and exploit zero-day vulnerabilities in superior campaigns, deploying extremely harmful malware similar to DarkMe,” the researchers mentioned.
