An advanced persistent threat actor called Water Hydra ( also known as DarkCasino ) has taken advantage of a recently discovered security flaw in the Microsoft Defender SmartScreen to target financial market traders.
The campaign, according to Trend Micro, which started monitoring it in late December 2023, involves the use of the Internet Shortcut Files ( .URL ) security bypass vulnerabilityCVE-2024-2112
The cybersecurity company claimed in a report released on Tuesday that the threat actor used CVE-2024-2112 in this attack chain to get around Microsoft Defender SmartScreen and infect victims with the DarkMe malware.
An unauthenticated attacker could take advantage of the flaw, according to Microsoft, which fixed it in its update for February Patch Tuesday by sending the targeted user a specially created file to get around security checks that are displayed.
Successful exploitation, however, depends on the threat actor’s ability to persuade the victim to view the attacker-controlled content by clicking the file link.
A malicious installer file ( .7z ) is dropped as a result of the infection process described by Trend Micro using CVE-2024-2112. msi ) by selecting a booby-trapped URL ( fxbulls [. ] ru ) distributed via forex trading forums under the guise of sharing a stock chart image that is actually an internet shortcut file ( photo_2023- 12- 29. jpg ). url’ )
” The fxbulls landing page [. ] Security researchers Peter Girnus, Aliakbar Zahravi, and Simon Zuckerbraun claimed that ru contains a link to obnoxious WebDAV shares with filtered views.
Users will be prompted to open the link in Windows Explorer when they click on this link. The user might not believe that this link is malicious because it is not a security prompt.
Threat actor’s misuse of the search: application protocol, which is used to launch the desktop search application on Windows and has previously been abused to deliver malware, is the cunning ruse that enables this.
A CMD shell script contained in a ZIP archive hosted on the same server is pointed out by the rogue internet shortcut file, which is itself pointing to another remote server-hosted web shortcut ( two urls ). zip / a2. cmd”.
The reason for this peculiar allusion is that SmartScreen, which failed to properly implement Mark of the Web ( MotW), a crucial Windows feature that warns users when opening or running files from an unreliable source, could be avoided by simply calling one shortcut within another.
The campaign’s ultimate objective is to sneakily deliver DarkMe, a Visual Basic trojan, to the victim while showing them the stock graph in order to maintain the trick after the exploitation and infection chain is complete.
In addition to registering with a command-and-control ( C2 ) server and gathering data from the compromised system, DarkMe has the ability to download and carry out additional instructions.
The change comes at a time when nation-state hacking groups are using attack chains to launch sophisticated attacks, incorporating zero-days discovered by cybercrime groups.
According to the researchers,” Water Hydra has the technical expertise and resources to identify and take advantage of zero-day vulnerabilities in sophisticated campaigns, using highly destructive malware like DarkMe.”