A newly disclosed security flaw in the Microsoft Defender SmartScreen has been exploited as a zero-day by an advanced persistent threat actor called Water Hydra (aka DarkCasino) targeting financial market traders.
Trend Micro, which began tracking the campaign in late December 2023, said it entails the exploitation of CVE-2024-21412, a security bypass vulnerability related to Internet Shortcut Files (.URL).
Microsoft, which addressed the flaw in its February Patch Tuesday update, said an unauthenticated attacker could exploit the flaw by sending the targeted user a specially crafted file in order to bypass displayed security checks.
The infection procedure documented by Trend Micro weaponizes CVE-2024-21412 to drop a malicious installer file (“7z.msi”) by clicking on a booby-trapped URL (“fxbulls[.]ru”) distributed via forex trading forums under the pretext of sharing a link to a stock chart image that, in reality, is an internet shortcut file (“photo_2023-12-29.jpg.url”).
The clever trick that makes this possible is the threat actor’s abuse of the search: application protocol, which is used for calling the desktop search application on Windows and has been abused in the past to deliver malware.
DarkMe comes with capabilities to download and execute additional instructions, alongside registering itself with a command-and-control (C2) server and gathering information from the compromised system.
The development comes amid a new trend where zero-days found by cybercrime groups end up getting incorporated into attack chains deployed by nation-state hacking groups to launch sophisticated attacks.
Source: https://thehackernews.com/