A financial trading screen displays a candlestick chart tracking the BANKNIFTY index from March to September, showing a general upward trend. On the left side, there are indicators and tools; meanwhile, the right side lists various stock values and percentages—watch for any potential cyberthreats impacting data integrity.

Traders are targeted by DarkMe malware using Microsoft SmartScreen Zero-Day Vulnerability.

14 February 2024 NewsroomZero: Day/Financial Sector Security

An advanced persistent threat actor called Water Hydra ( also known as DarkCasino ) has taken advantage of a recently discovered security flaw in the Microsoft Defender SmartScreen to target financial market traders.

The campaign, according to Trend Micro, which started monitoring it in late December 2023, involves the use of the Internet Shortcut Files ( .URL ) security bypass vulnerabilityCVE-2024-2112

The cybersecurity company claimed in a report released on Tuesday that the threat actor used CVE-2024-2112 in this attack chain to get around Microsoft Defender SmartScreen and infect victims with the DarkMe malware.

An unauthenticated attacker could take advantage of the flaw, according to Microsoft, which fixed it in its update for February Patch Tuesday by sending the targeted user a specially created file to get around security checks that are displayed.

Cybersecurity

Successful exploitation, however, depends on the threat actor’s ability to persuade the victim to view the attacker-controlled content by clicking the file link.

A malicious installer file ( .7z ) is dropped as a result of the infection process described by Trend Micro using CVE-2024-2112. msi ) by selecting a booby-trapped URL ( fxbulls [. ] ru ) distributed via forex trading forums under the guise of sharing a stock chart image that is actually an internet shortcut file ( photo_2023- 12- 29. jpg ). url’ )

” The fxbulls landing page [. ] Security researchers Peter Girnus, Aliakbar Zahravi, and Simon Zuckerbraun claimed that ru contains a link to obnoxious WebDAV shares with filtered views.

Users will be prompted to open the link in Windows Explorer when they click on this link. The user might not believe that this link is malicious because it is not a security prompt.

Threat actor’s misuse of the search: application protocol, which is used to launch the desktop search application on Windows and has previously been abused to deliver malware, is the cunning ruse that enables this.

A CMD shell script contained in a ZIP archive hosted on the same server is pointed out by the rogue internet shortcut file, which is itself pointing to another remote server-hosted web shortcut ( two urls ). zip / a2. cmd”.

The reason for this peculiar allusion is that SmartScreen, which failed to properly implement Mark of the Web ( MotW), a crucial Windows feature that warns users when opening or running files from an unreliable source, could be avoided by simply calling one shortcut within another.

Cybersecurity

The campaign’s ultimate objective is to sneakily deliver DarkMe, a Visual Basic trojan, to the victim while showing them the stock graph in order to maintain the trick after the exploitation and infection chain is complete.

In addition to registering with a command-and-control ( C2 ) server and gathering data from the compromised system, DarkMe has the ability to download and carry out additional instructions.

The change comes at a time when nation-state hacking groups are using attack chains to launch sophisticated attacks, incorporating zero-days discovered by cybercrime groups.

According to the researchers,” Water Hydra has the technical expertise and resources to identify and take advantage of zero-day vulnerabilities in sophisticated campaigns, using highly destructive malware like DarkMe.”

This article piqued your interest? To read more of the exclusive content we post, follow us on LinkedIn and Twitter.
Skip to content