Cybercriminals have recently unleashed a sophisticated attack targeting financial traders, exploiting a zero-day vulnerability in Microsoft Defender SmartScreen. This vulnerability, identified as CVE-2024-21412, has been utilized by the DarkMe malware, orchestrated by an advanced persistent threat actor known as Water Hydra or DarkCasino.
The Zero-Day Vulnerability in Microsoft SmartScreen
CVE-2024-21412 serves as the gateway for the DarkMe malware to infiltrate the systems of financial market traders. Trend Micro, a prominent cybersecurity firm, began tracking this campaign in late December 2023, unveiling the exploitation of the aforementioned security bypass vulnerability associated with Internet Shortcut Files (.URL).
In a nefarious attack chain, threat actors leverage CVE-2024-21412 to circumvent Microsoft Defender SmartScreen, ultimately infecting victims with the DarkMe malware. Microsoft addressed this flaw in its February Patch Tuesday update, highlighting the potential for unauthenticated attackers to exploit the vulnerability by enticing targeted users to click on specially crafted file links, thereby bypassing displayed security checks.
Analysis of the DarkMe Malware
The DarkMe malware employs a sophisticated infection chain to achieve its malicious objectives. Initially distributed via forex trading forums, the attack disguises itself under the pretext of sharing a link to a stock chart image. However, the link actually leads to an internet shortcut file (“photo_2023-12-29.jpg.url”) hosted on a rogue domain (“fxbulls[.]ru”).
The DarkMe campaign exploits the “search:” application protocol within Windows Explorer, deceiving users into opening a specially crafted link that prompts the execution of a CMD shell script contained within a ZIP archive. By nesting internet shortcut files within one another, the malware evades detection by Microsoft Defender SmartScreen, ultimately deploying the DarkMe trojan in the background.
Impact of the Attack
The repercussions of this attack are severe, particularly for financial traders who fall victim to the DarkMe malware. The initial access granted through a customized Windows Explorer window lures users into a false sense of security, leading them to unknowingly execute malicious scripts.
By exploiting CVE-2024-21412, the attackers successfully bypass Microsoft Defender SmartScreen, allowing the DarkMe malware to execute undetected. Once activated, DarkMe establishes communication with a command-and-control server, facilitating the download and execution of additional instructions while harvesting sensitive information from compromised systems.
