An APT group has been exploiting a Microsoft zero-day vulnerability in attacks in order to bypass Microsoft Defender SmartScreen and infect financial market trader companies with the DarkMe malware.
Researchers with Trend Micro’s Zero Day Initiative said that the known APT group, called Water Hydra, was leveraging the flaw (CVE-2024-21412) in order to bypass Defender SmartScreen, Microsoft’s feature in Windows 10 and 11 that is aimed at preventing phishing and malware attacks. The attack was first found by the researchers in late December, and Microsoft on Tuesday disclosed the important-severity flaw and issued a fix as part of its regularly scheduled Patch Tuesday updates.
“Threat actors are constantly finding new ways of identifying and exploiting gaps to bypass security measures,” said Trend Micro researchers on Tuesday. “We found that the bypass of CVE-2023-36025 (a previously patched SmartScreen vulnerability) led to the discovery and exploitation of CVE-2024-21412. This highlights how threat actors can circumvent patches by identifying new vectors of attack around a patched software component.”
Water Hydra was first discovered in 2021 and has previously launched attacks against banks, cryptocurrency platforms, gambling sites and casinos, and stock trading platforms. The group has previously used undisclosed vulnerabilities - including the WinRAR code execution flaw (CVE-2023-38831) - as part of its attack chain to target the financial industry.
The Attack
Researchers observed the group leveraging the Microsoft flaw as part of what they called a streamlined infection process since late January. The attack started with the group launching spear-phishing attacks in forex trading forums and stock trading Telegram channels in order to target potential traders with the DarkMe malware. The group would post messages with links, which pretended to ask for trading advice or share financial tools.
These posts instead linked back to a landing page hosted on a compromised Russian language forex, stock, and cryptocurrency news site, which served a second link to a JPEG file.
“In Water Hydra’s case, the group used internet shortcuts disguised as a JPEG image that, when selected by the user, allows the threat actor to exploit CVE-2024-21412,” said researchers. “The group can then bypass Microsoft Defender SmartScreen and fully compromise the Windows host as part of its attack chain.”
The DarkMe malware allowed the APT to gather information on the victim companies and establish a command-and-control (C2) connection for further malicious activity.
Microsoft Flaws
Microsoft in its regularly scheduled updates on Tuesday released over 70 fixes for other vulnerabilities, including a second actively exploited bypass bug in Windows SmartScreen Security (CVE-2024-21351). Microsoft said an attacker that successfully exploited this flaw could bypass the SmartScreen user experience, but that an authorized attacker would need to first send targets a malicious file and convince them to open it.
Overall, researchers said CISOs can strategically position themselves to prepare for zero-day vulnerabilities like this one by implementing vulnerability management procedures into their security programs - as well as threat intelligence and incident response processes - to better identify and prioritize flaws.
“Given the potential impact of a successful zero-day vulnerability exploitation, it is important that chief information security officers (CISOs) and other decision-makers are able to adopt a multilayered approach to prepare for and address the risks of zero-day vulnerabilities,” said researchers.