February 14, 2024 at 02:39AM
A zero-day exploit in Microsoft Defender SmartScreen, leveraged by the threat actor Water Hydra (aka DarkCasino), targets financial market traders. Exploiting CVE-2024-21412, the attacker convinces victims to click on a booby-trapped URL, bypassing security checks. The end goal is to deliver the DarkMe trojan, capable of executing additional instructions and connecting to a command-and-control server.
Key takeaways from the meeting notes:
– A newly discovered zero-day exploit in Microsoft Defender SmartScreen has been utilized by an advanced persistent threat actor named Water Hydra (also known as DarkCasino) to target financial market traders.
– The exploit involves the utilization of CVE-2024-21412, a security bypass vulnerability related to Internet Shortcut Files (.URL).
– The attack chain leverages this vulnerability to bypass Microsoft Defender SmartScreen and infect victims with the DarkMe malware.
– Microsoft has released an update addressing the flaw in its February Patch Tuesday update, but successful exploitation still depends on convincing the victim to click on a specially crafted file link.
– The infection procedure entails the dropping of a malicious installer file (“7z.msi”) by clicking on a booby-trapped URL (“fxbulls[.]ru”) distributed via forex trading forums.
– The landing page on fxbulls[.]ru contains a link to a malicious WebDAV share, utilizing a clever trick to abuse the search: application protocol.
– The end goal of the campaign is to deliver a Visual Basic trojan known as DarkMe, which possesses the capability to download and execute additional instructions, register itself with a command-and-control (C2) server, and gather information from compromised systems.
– The discovery represents a trend where zero-day vulnerabilities found by cybercrime groups are incorporated into attack chains deployed by nation-state hacking groups for sophisticated attacks.
Please let me know if there are any additional details or specific actions required based on these meeting notes.