Windows Defender Zero-Day Exploited to Deliver DarkMe RAT: Microsoft Issues Patch
February 13, 2024
Microsoft has addressed a zero-day vulnerability in its Windows Defender SmartScreen that was being exploited by a threat group, referred to as Water Hydra and DarkCasino, to distribute the DarkMe remote access trojan (RAT). The zero-day, identified as CVE-2024-21412, was detected being used in attacks on New Year's Eve by Trend Micro's security researchers.
Microsoft, in its security advisory, stated, 'An unauthenticated attacker could send the targeted user a specially crafted file that is designed to bypass displayed security checks.' However, the attacker would need to convince the user to take action by clicking on the file link, as there was no way for the attacker to force the user to view the attacker-controlled content.
The zero-day flaw CVE-2024-21412 was found to bypass another Defender SmartScreen vulnerability (CVE-2023-36025), which was patched in November 2023. The earlier vulnerability was also exploited to bypass Windows security prompts when opening URL files to deploy the Phemedrone info-stealer malware.
The recently patched zero-day was used in attacks against 'foreign exchange traders participating in the high-stakes currency trading market,' potentially aiming at data theft or future ransomware deployment.
In December 2023, Trend Micro started tracking a campaign by the Water Hydra group that involved similar tools, tactics, and procedures (TTPs). The group was exploiting internet shortcuts (.URL) and Web-based Distributed Authoring and Versioning (WebDAV) components.
The Water Hydra group used CVE-2024-21412 to target forex trading forums and stock trading Telegram channels in spearphishing attacks. They pushed a malicious stock chart linking to a compromised trading information site from Russia (fxbulls[.]ru) impersonating a forex broker platform (fxbulls[.]com). The aim was to trick traders into installing the DarkMe malware via social engineering.
The Water Hydra hackers have a history of exploiting other zero-day vulnerabilities. They previously used a high-severity vulnerability (CVE-2023-38831) in the WinRAR software, compromising trading accounts several months before a patch was available. This vulnerability was later linked to multiple government-backed hacking groups, including the Sandworm, APT28, APT40, DarkPink (NSFOCUS), and Konni (Knownsec) threat groups from Russia, China, and North Korea.
Related News
- Microsoft's February 2024 Patch Tuesday Addresses 73 Flaws and Two Zero-Days
- Bumblebee Malware Resurfaces after Four Months, Targets US Organizations
- Mispadu Banking Trojan Exploits Patched Windows SmartScreen Flaw
- Russian APT28 Hackers Launch NTLM Relay Attacks on High-Value Global Targets
- Phemedrone Malware Campaign Exploits Windows SmartScreen Bypass Vulnerability
Latest News
- Microsoft's February 2024 Patch Tuesday Addresses 73 Flaws and Two Zero-Days
- Bumblebee Malware Resurfaces after Four Months, Targets US Organizations
- CISA Adds Roundcube Webmail XSS Vulnerability to its Known Exploited Vulnerabilities Catalog
- Ivanti SSRF Flaw Exploited by Hackers to Deploy New DSLog Backdoor
- C3RB3R Ransomware Exploits Confluence Vulnerability
Like what you see?
Get a digest of headlines, vulnerabilities, risk context, and more delivered to your inbox.