February 14, 2024 at 07:29AM
The APT group Water Hydra has been exploiting the Microsoft Defender SmartScreen vulnerability (CVE-2024-21412) in campaigns targeting financial market traders. The vulnerability has been patched by Microsoft, and it was discovered and disclosed by the Trend Micro Zero Day Initiative. Water Hydra has used sophisticated methods to bypass SmartScreen and infect victims with DarkMe malware. The group has shown significant technical skill and sophistication in their attack patterns, targeting the financial industry and launching attacks against banks, cryptocurrency platforms, forex and stock trading platforms, gambling sites, and casinos worldwide. They have also utilized undisclosed zero-day vulnerabilities in attack chains and have been active since 2021. They have been detected to use similar tools, tactics, and procedures in their campaigns and have exploited other vulnerabilities, such as the WinRAR code execution vulnerability CVE-2023-38831. The report also provides detailed analysis of the attack chain, tactics, techniques, and procedures used by Water Hydra, as well as the analysis of the DarkMe malware, including its functionality and communication with the command and control server. Finally, the report presents indicators of compromise and Trend Micro’s protections and rules for safeguarding against the zero-day and DarkMe malware. Trend Micro encourages organizations to protect themselves from such attacks with Trend Vision One™️, which provides prevention, detection, and response capabilities, and offers a range of security solutions to detect, scan, and block malicious content across the modern threat landscape. Trend Micro has also identified the indicators of compromise for this attack.
The meeting notes provided contain detailed information about exploits and vulnerabilities, particularly focusing on the CVE-2024-21412 (ZDI-CAN-23100) related to the Water Hydra APT group’s activities targeting financial market traders. The notes cover the discovery and disclosure of the vulnerability by the Trend Micro Zero Day Initiative, the methodology and techniques employed by the Water Hydra group, as well as the infection chain analysis and the technology and procedures employed to exploit the various vulnerabilities.
The notes also discuss the attribution of the Water Hydra APT group, their attack patterns and technical sophistication, the evolution of their attack chains, and the emerging trends in zero-day exploitation. Moreover, the meeting notes elaborate on the DarkMe malware, including the downloader, loader, and RAT functionalities, and provide recommendations on how organizations can protect themselves from such attacks, as well as the internal threat detection and protection mechanisms available through Trend Micro products.
Additionally, the notes acknowledge the contributions and collaboration of various security researchers, as well as the measures undertaken by Trend Micro and Microsoft to address the vulnerabilities, including the provision of protections and indicators of compromise to safeguard against potential attacks.
In summary, the meeting notes deliver an in-depth account of the Water Hydra APT campaign, the Zero Day Initiative’s efforts to mitigate vulnerabilities, and Trend Micro’s commitment to enhancing cybersecurity.