Windows Defender Zero-Day Exploited to Deliver DarkMe RAT: Microsoft Issues Patch

February 13, 2024

Microsoft has addressed a zero-day vulnerability in its Windows Defender SmartScreen that was being exploited by a threat group, referred to as Water Hydra and DarkCasino, to distribute the DarkMe remote access trojan (RAT). The zero-day, identified as CVE-2024-21412, was detected being used in attacks on New Year's Eve by Trend Micro's security researchers.

Microsoft, in its security advisory, stated, 'An unauthenticated attacker could send the targeted user a specially crafted file that is designed to bypass displayed security checks.' However, the attacker would need to convince the user to take action by clicking on the file link, as there was no way for the attacker to force the user to view the attacker-controlled content.

The zero-day flaw CVE-2024-21412 was found to bypass another Defender SmartScreen vulnerability (CVE-2023-36025), which was patched in November 2023. The earlier vulnerability was also exploited to bypass Windows security prompts when opening URL files to deploy the Phemedrone info-stealer malware.

The recently patched zero-day was used in attacks against 'foreign exchange traders participating in the high-stakes currency trading market,' potentially aiming at data theft or future ransomware deployment.

In December 2023, Trend Micro started tracking a campaign by the Water Hydra group that involved similar tools, tactics, and procedures (TTPs). The group was exploiting internet shortcuts (.URL) and Web-based Distributed Authoring and Versioning (WebDAV) components.

The Water Hydra group used CVE-2024-21412 to target forex trading forums and stock trading Telegram channels in spearphishing attacks. They pushed a malicious stock chart linking to a compromised trading information site from Russia (fxbulls[.]ru) impersonating a forex broker platform (fxbulls[.]com). The aim was to trick traders into installing the DarkMe malware via social engineering.

The Water Hydra hackers have a history of exploiting other zero-day vulnerabilities. They previously used a high-severity vulnerability (CVE-2023-38831) in the WinRAR software, compromising trading accounts several months before a patch was available. This vulnerability was later linked to multiple government-backed hacking groups, including the Sandworm, APT28, APT40, DarkPink (NSFOCUS), and Konni (Knownsec) threat groups from Russia, China, and North Korea.

Related News

Latest News

Like what you see?

Get a digest of headlines, vulnerabilities, risk context, and more delivered to your inbox.

Subscribe Below

By submitting this form, you’re giving us permission to email you. You may unsubscribe at any time.

Accelerate Security Teams

Continuously identify and prioritize the risks that are most critical in your environment, and validate that your remediation efforts are reducing risk. An always-on single source-of-truth of your assets, services, and vulnerabilities.